The design decisions determine the deployment configuration, resource sizing, and monitoring support of vRealize Log Insight in the SDDC.

Deployment Design

Table 1. Design Decisions on Deployment of vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-001

Deploy a three node vRealize Log Insight cluster - one primary and two worker nodes with an integrated load balancer, in the default management vSphere cluster.

  • Provides high availability.

  • Using the integrated load balancer prevents a single point of failure.

  • Using the integrated load balancer simplifies the vRealize Log Insight deployment and subsequent integration.

  • You must deploy a minimum of three medium-size nodes.

  • You must size all nodes identically.

  • If the capacity of your vRealize Log Insight cluster must expand, identical capacity must be added to each node.

ILA-VRLI-CFG-002

To deploy vRealize Log Insight, use the vRealize Suite Lifecycle Manager instance in the corresponding VMware Cloud Foundation instance.

  • For VMware Cloud Foundation 4.4, the vRealize Log Insight install bundle is downloaded directly from vRealize Suite Lifecycle Manager in VMware Cloud Foundation mode.

  • For VMware Cloud Foundation 4.3.1 and earlier, the vRealize Log Insight install bundle is synchronized from SDDC Manager ensuring interoperability with VMware Cloud Foundation.

You must deploy vRealize Suite Lifecycle Manager in each VMware Cloud Foundation instance.

ILA-VRLI-CFG-003

Protect all vRealize Log Insight cluster nodes by using vSphere High Availability.

Supports the availability objectives for vRealize Log Insight without requiring manual intervention during a failure event.

None.

ILA-VRLI-CFG-004

Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Log Insight cluster virtual machines.

Using vSphere DRS prevents the vRealize Log Insight cluster virtual machines from running on the same ESXi host and risking the high availability of the cluster.

  • You must perform additional configuration to set up an anti- affinity rule.

  • For a default management vSphere cluster that consists of four ESXi hosts, you can put in maintenance mode only a single ESXi host at a time.

ILA-VRLI-CFG-005

Place the vRealize Log Insight cluster virtual machines in a dedicated virtual machine folder.

Provides an organization of the vRealize Log Insight nodes in the management domain inventory.

You must create the virtual machine folder during or after the deployment.

Table 2. Design Decision on Deployment of vRealize Log Insight for Multiple Availability Zones

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-006

When using two availability zones, add the vRealize Log Insight cluster virtual machines to the first availability zone VM group.

Ensures that, by default, the vRealize Log Insight cluster virtual machines are powered on within the first availability zone hosts group.

If vRealize Log Insight is deployed after the creation of the stretched cluster for management domain availability zones, the VM group for the first availability zone virtual machines must be updated to include the vRealize Log Insight cluster nodes.

Table 3. Design Decisions on Deployment of vRealize Log Insight for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-007

In an environment with multiple VMware Cloud Foundation instances, deploy a three node vRealize Log Insight cluster - one primary and two worker nodes with an integrated load balancer, on the default management vSphere cluster in each VMware Cloud Foundation instance.

Provides a local vRealize Log Insight infrastructure to each VMware Cloud Foundation instance for both availability, scale and performance reasons.

You must deploy vRealize Suite Lifecycle Manager in each VMware Cloud Foundation instance.

ILA-VRLI-CFG-008

In an environment with multiple VMware Cloud Foundation instances, place the vRealize Log Insight cluster virtual machines in each instance in a dedicated virtual machine folder.

Provides an organization of the vRealize Log Insight cluster nodes in the management domain inventory.

You must create the virtual machine folder during or after the deployment.

Table 4. Design Decision on Sizing of vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-009

Deploy each node in the vRealize Log Insight cluster as a medium-size appliance.

  • Accommodates the expected approximately 200 syslog and vRealize Log Insight agent connections.

  • Using medium-size nodes ensures that the storage space for the vRealize Log Insight cluster is sufficient for seven days of data retention.

You must increase the size of the nodes if you configure vRealize Log Insight to monitor additional syslog sources.

Table 5. Design Decision on Log Retention for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-010

Configure a retention period of seven days for the medium-size vRealize Log Insight appliance.

Accommodates logs from the expected number of logging sources in this SDDC design.

None.

Table 6. Design Decision on Log Archive Policy for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-011

Apply an archive policy of 90 days for the medium-size vRealize Log Insight appliance.

Accommodates 90 days of historical logs.

You must provide a minimum of 400GB of shared storage in each VMware Cloud Foundation instance.

ILA-VRLI-CFG-012

Provide a minimum of 400 GB of NFS version 3 shared storage to the vRealize Log Insight cluster in each VMware Cloud Foundation instance.

Accommodates log archiving from 200 logging sources for 90 days.

  • You must manually maintain the vRealize Log Insight archive blobs stored on the NFS shared storage, selectively cleaning the datastore when more space is required.

  • If you configure vRealize Log Insight to monitor more logging sources or if you add vRealize Log Insight worker nodes , you must increase the size of the NFS shared storage.

  • You must enforce the archive policy directly on the shared storage.

  • If the NFS mount does not have enough free space or is unavailable for a period greater than the retention period of the appliance, vRealize Log Insight stops ingesting new data until the NFS mount has enough free space, becomes available, or archiving is deactivated.

  • When using two availability zones, ensure that the NFS share is available in both availability zones.

Table 7. Design Decision on Alert Notifications for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-013

Configure alert notifications.

Activates alerts by email from vRealize Log Insight sent to administrators and operators.

Requires access to an external SMTP server.

Network Design

Table 8. Design Decision on Network Segments for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-NET-001

Place the vRealize Log Insight cluster nodes on the local-instance NSX network segment.

Provides a consistent deployment model for management applications.

You must use an implementation in NSX-T Data Center to support this networking configuration.

Table 9. Design Decisions on the IP Addressing for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-NET-002

Allocate statically assigned IP addresses and host names from the local-instance NSX segment to the vRealize Log Insight cluster nodes and the integrated load balancer (ILB).

Ensures stability across the SDDC and makes it simpler to maintain and easier to track.

Requires precise IP address management.

Table 10. Design Decisions on the IP Addressing for vRealize Log Insight for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-NET-003

In an environment with multiple VMware Cloud Foundation instances, allocate statically assigned IP addresses and host names from each local-instance NSX segment to the vRealize Log Insight cluster nodes in the instance.

Ensures stability across the SDDC and makes it simpler to maintain and easier to track.

Requires precise IP address management.

Table 11. Design Decisions on Name Resolution for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-NET-004

Configure forward and reverse DNS records for all vRealize Log Insight cluster nodes and the integrated load balancer (ILB) VIP address.

All nodes are accessible by using fully qualified domain names instead of by using IP addresses only.

You must provide DNS records for the vRealize Log Insight nodes.

Table 12. Design Decision on Load Balancing for vRealize Log Insightt

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-NET-005

Activate the vRealize Log Insight integrated load balancer (ILB) for balancing incoming traffic.

Supports balancing ingestion traffic among the vRealize Log Insight nodes and high availability.

You must provide an extra IP address and FQDN for the integrated load balancer (ILB).

Table 13. Design Decision on Time Synchronization for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-NET-006

Configure NTP on each vRealize Log Insight cluster node.

vRealize Log Insight depends on time synchronization.

None.

Life Cycle Management Design

Table 14. Design Decision on Life Cycle Management of vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-LCM-001

  • For VMware Cloud Foundation 4.4, use vRealize Suite Lifecycle Manager to perform the life cycle management of vRealize Log Insight in each VMware Cloud Foundation instance.

  • For VMware Cloud Foundation 4.3.1 and earlier, use SDDC Manager to perform the life cycle management of vRealize Log Insight in each VMware Cloud Foundation instance.

  • For VMware Cloud Foundation 4.4, vRealize Suite Lifecycle Manager manages the product binaries and vRealize Log Insight upgrades.

  • For VMware Cloud Foundation 4.3.1 and earlier, SDDC Manager provides the upgrade bundles to vRealize Suite Lifecycle Manager and manages vRealize Log Insight upgrades through the integration with vRealize Suite Lifecycle Manager.

  • You must deploy vRealize Suite Lifecycle Manager by using SDDC Manager.

  • vRealize Suite Lifecycle Manager manages patches, updates, and hot fixes for vRealize Log Insight.

vRealize Log Insight Design

Table 15. Design Decisions on vRealize Log Insight Content Packs

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-014

Install the following content packs:

  • VMware - Linux Systemd

  • VMware - NSX-T

  • VMware - vRSLCM

  • VMware Identity Manager

Provides additional granular monitoring on the virtual infrastructure.

The following content packs are installed by default in vRealize Log Insight:

  • VMware - vSphere

  • VMware - vSAN

The following content packs are installed automatically by SDDC Manager.

  • VMware - Linux Systemd

  • VMware - NSX-T

  • VMware - vRSLCM

  • VMware Identity Manager

None.

ILA-VRLI-CFG-015

Configure the following agent groups that are related to content packs:

  • vRSLCM

  • Photon OS

  • Workspace ONE Access

  • Provides a standardized configuration that is pushed to all vRealize Log Insight agents in each of the groups.

  • Supports collection according to the context of the applications and parsing of the logs generated from the SDDC components by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats.

  • The vRSLCM agent group is created by SDDC Manager.

Adds minimal load to vRealize Log Insight.

Table 16. Design Decision on Logging Sources for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-016

Connect VMware Cloud Foundation VI workload domains to vRealize Log Insight by using SDDC Manager.

SDDC Manager automatically adds the VI workload domain vCenter Server and ESXi hosts to vRealize Log Insight.

None.

ILA-VRLI-CFG-017

Install and configure the vRealize Log Insight agent on the clustered Workspace ONE Access nodes to send logs to the vRealize Log Insight cluster in their corresponding VMware Cloud Foundation instance.

Provides a standardized configuration that is pushed to the vRealize Log Insight agents for each Workspace ONE Access node.

Supports collection according to the context of the Workspace ONE Access using the vRealize Log Insight Ingestion API and parses of the logs by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats.

None.

ILA-VRLI-CFG-018

Configure the SDDC - Workspace ONE Access and SDDC - Photon OS agent groups in the vRealize Log Insight cluster to include the clustered Workspace ONE Access nodes.

Provides a standardized configuration that is pushed to the vRealize Log Insight agents for each Workspace ONE Access appliance.

Supports collection according to the context of the Workspace ONE Access using the vRealize Log Insight ingestion API and parses of the logs by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats.

Adds minimal load to the vRealize Log Insight cluster.

ILA-VRLI-CFG-019

Configure syslog sources and vRealize Log Insight agents to send log data directly to the virtual IP (VIP) address of the vRealize Log Insight integrated load balancer (ILB).

  • Provides potential to scale-out without reconfiguring all log sources with a new destination address.

  • Simplifies the configuration of log sources in the SDDC.

  • You must configure the integrated load balancer on the vRealize Log Insight cluster.

  • You must configure logging sources to forward data to the vRealize Log Insight VIP.

ILA-VRLI-CFG-020

Configure all vCenter Server instances as direct syslog sources to send log data directly to vRealize Log Insight in their corresponding VMware Cloud Foundation instance.

Simplifies configuration for log sources that are syslog-capable.

The configuration is performed by SDDC Manager

  • You must configure syslog sources to forward logs to the vRealize Log Insight VIP.

  • Certain dashboards in vRealize Log Insight require the use of the vRealize Log Insight agent for proper ingestion.

  • Not all operating system level events are forwarded to vRealize Log Insight.

ILA-VRLI-CFG-021

Configure the vRealize Log Insight agent on the SDDC Manager appliance in each VMware Cloud Foundation instance to forward logs to the local vRealize Log Insight instance.

Ensures relevant logs are sent to vRealize Log Insight from SDDC Manager.

The integration is performed automatically by SDDC Manager.

None.

ILA-VRLI-CFG-022

Configure the vRealize Log Insight agent on the vRealize Suite Lifecycle Manager appliance to forward logs to vRealize Log Insight in its corresponding VMware Cloud Foundation instance.

Simplifies configuration of log sources in the SDDC that are pre-packaged with the vRealize Log Insight agent.

The integration is performed automatically by SDDC Manager.

None.

ILA-VRLI-CFG-023

Configure the NSX-T Data Center components as direct syslog sources for vRealize Log Insight in their corresponding VMware Cloud Foundation instance, including:

  • NSX Manager instances

  • NSX Edge instances

Simplifies configuration of log sources in the SDDC that are syslog-capable.

NSX Manager instances are configured by SDDC Manager.

  • You must configure syslog sources to forward logs to the vRealize Log Insight VIP.

  • Not all operating system-level events are forwarded to vRealize Log Insight.

  • You must manually configure NSX Edge instances.

ILA-VRLI-CFG-024

Communicate with the syslog clients, such as ESXi, vCenter Server, NSX-T Data Center, using the TCP protocol.

Using the TCP syslog protocol ensures reliability and supports retry mechanisms.

TCP syslog traffic is secure and more consistent with RFC 5424.

  • TCP has a higher performance overhead compared to UDP.

  • You must manually deactivate the SSL connection requirement in vRealize Log Insight.

ILA-VRLI-CFG-025

Do not configure vRealize Log Insight to automatically update all deployed agents.

Manually install updated versions of the vRealize Log Insight agents for each of the specified components in the SDDC for precise maintenance.

You must maintain manually the vRealize Log Insight agents on each of the SDDC components.

Table 17. Design Decisions on Event Forwarding Across vRealize Log Insight Instances for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-026

In an environment with multiple VMware Cloud Foundation instances, forward log events to the other instance by using the Ingestion API.

Supports the following operations:

  • Structured and unstructured data for client-side compression

  • Event throttling from one vRealize Log Insight cluster to another.

In the event of a cross-instance outage, the administrator has access to all logs from the two VMware Cloud Foundation instances although one of the instances is offline.

  • You must configure each vRealize Log Insight cluster to forward log data to the cluster in the other VMware Cloud Foundation instance. The configuration introduces administrative overhead to prevent recursion of logging between instances using inclusion and exclusion tagging.

  • Log forwarding adds load to each instance. You must consider log forwarding in the sizing calculations for the vRealize Log Insight cluster in each instance.

  • You must configure identical size on both source and destination clusters.

ILA-VRLI-CFG-027

In an environment with multiple VMware Cloud Foundation instances, configure log forwarding to use SSL on port 9543.

Ensures that the log forward operations between instances are secure.

  • You must set up a custom CA- signed SSL certificate.

    Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default.

  • If you add vRealize Log Insight nodes to a cluster, the SSL certificate used by the vRealize Log Insight cluster in the other VMware Cloud Foundation instance must be installed in the Java keystore of all nodes before SSL can be used.

Information Security and Access Design

Table 18. Design Decisions on Identity Management for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-SEC-001

Activate vRealize Log Insight integration with your corporate identity source by using the the standalone Workspace ONE Access instance.

Allows authentication, including multi-factor, to vRealize Log Insight using your corporate identity source.

Allows authorization through the assignment of roles to enterprise users and groups defined in your corporate identity source.

You must deploy and configure the instance of Workspace ONE Access to establish the integration between vRealize Log Insight and your corporate identity sources.

ILA-VRLI-SEC-002

Create a security group in your corporate directory services for vRealize Log Insight administrators, synchronize the group in Workspace ONE Access, and assign the Super Admin role to the group.

Streamlines the management of vRealize Log Insight roles for users.

Provides the following access control features:

  • Access to vRealize Log Insight administration is granted to a managed set of individuals that are members of the security group.

  • You can introduce improved accountability and tracking organization owner access to vRealize Log Insight.

You must create the security group outside of the SDDC stack.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

ILA-VRLI-SEC-003

Create a security group in your corporate directory services for vRealize Log Insight users, synchronize the group in Workspace ONE Access, and assign the User role to the group.

Streamlines the management of vRealize Log Insight roles for users.

Provides the following access control features:

  • Access to the vRealize Log Insight user interface is granted to a managed set of individuals that are members of the security group.

  • You can introduce improved accountability and tracking organization owner access to vRealize Log Insight.

You must create the security group outside of the SDDC stack.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

ILA-VRLI-SEC-004

Create a security group in your corporate directory services for vRealize Log Insight viewers, synchronize the group in Workspace ONE Access, and assign the View Only Admin role to the group.

Streamlines the management of vRealize Log Insight roles for users.

Provides the following access control features:

  • Access to the vRealize Log Insight user interface is granted to a managed set of individuals that are members of the security group.

  • You can introduce improved accountability and tracking organization owner access to vRealize Log Insight.

  • You must create the security group outside of the SDDC stack.

  • You must maintain the life cycle and availability of the security group outside of the SDDC stack.

Table 19. Design Decisions on Password Policies for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-SEC-005

Configure the password expiration policy for the vRealize Log Insight appliance.

  • You configure the password expiration policy for the vRealize Log Insight appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local vRealize Log Insight users.

You can manage the password expiration policy on the vRealize Log Insight appliance by using the virtual appliance console or ssh client.

ILA-VRLI-SEC-006

Configure the password complexity policy for the vRealize Log Insight appliance.

  • You configure the password complexity policy for vRealize Log Insight to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local vRealize Log Insight users.

You can manage the password complexity policy on the vRealize Log Insight appliance by using the virtual appliance console or a Secure Shell (SSH) client.

ILA-VRLI-SEC-007

Configure the account lockout policy for the vRealize Log Insight appliance.

  • You configure the account lockout policy for vRealize Log Insight to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local vRealize Log Insight users.

You can manage the account lockout policy on the vRealize Log Insight appliance by using the virtual appliance console or a Secure Shell (SSH) client.

Table 20. Design Decision on Password Management for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-SEC-008

Change the vRealize Log Insight root password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.

  • By default, the password for the vRealize Log Insight root account expires every 365 days.

  • When vRealize Log Insight is deployed into a VMware Cloud Foundation environment in vRealize Suite Lifecycle Manager, the root password is managed from the SDDC Manager user interface or API, notvRealize Suite Lifecycle Manager.

By using SDDC Manager, you manage the password change or automated password rotation schedule for the vRealize Log Insight root account in accordance with your organizational policies and regulatory standards.

ILA-VRLI-SEC-009

Change the vRealize Log Insight admin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API.

When vRealize Log Insight is deployed into a VMware Cloud Foundation environment in vRealize Suite Lifecycle Manager, the admin password is managed from the SDDC Manager user interface or API, not vRealize Suite Lifecycle Manager.

You must routinely perform the password change for the admin account by using the SDDC Manager UI or API.

Table 21. Design Decisions on Certificates for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-SEC-010

Use a CA-signed certificate containing the vRealize Log Insight cluster node FQDNs, and the ILB FQDN in the SAN attributes, when deploying vRealize Log Insight in each VMware Cloud Foundation instance.

Configuring a CA-signed certificate ensures that the communication to the externally facing UI and API for vRealize Log Insight, and cross-product, is encrypted.

Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered.

ILA-VRLI-SEC-011

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

Solution Interoperability Design

Table 22. Design Decisions on Integration of vRealize Log Insight with vRealize Operations Manager

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-MON-001

Forward alerts to vRealize Operations Manager.

Provides monitoring and alerting information that is pushed from vRealize Log Insight to vRealize Operations Manager for centralized administration.

None.

ILA-VRLI-MON-002

Support launch in context with vRealize Operations Manager.

Provides access to vRealize Log Insight for context-based monitoring of an object in vRealize Operations Manager.

You can register only one vRealize Log Insight cluster with vRealize Operations Manager for launch in context at a time.

ILA-VRLI-MON-003

Configure the vRealize Log Insight integration in vRealize Operations Manager.

  • Activates the Logs tab invRealize Operations Manager.

  • Activates Troubleshoot with the Logs dashboard.

  • Activates vRealize Log Insight launch in context from vRealize Operations Manager.

You can register only one vRealize Log Insight cluster with vRealize Operations Manager at a time.

You must manage the password life cycle of this endpoint.

ILA-VRLI-MON-004

Configure the vRealize Log Insight adapter to use the remote collector group.

  • Local-instance components are configured to use the remote collector group.

  • Offloads data collection for local management components from the analytics cluster.

None.

ILA-VRLI-MON-005

Add a Ping adapter for the vRealize Log Insight cluster.

Provides metrics on the availability of the vRealize Log Insight cluster.

You must add the adapter instances manually.

ILA-VRLI-MON-006

Configure the Ping adapter to use the remote collector group.

  • Local-instance components are configured to use the remote collector group.

  • Offloads data collection for local management components from the analytics cluster.

None.

Table 23. Design Decisions on a Service Account for vRealize Log Insight Integration with vRealize Operations Manager

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-MON-007

In vRealize Operations Manager, add an application-to-application service account, for vRealize Log Insight Integration. Assign this user the default Administrator role.

Establishes integration between vRealize Log Insight and vRealize Operations Manager.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

ILA-VRLI-MON-008

Activate vRealize Operations Manager integration in vRealize Log Insight using the vRealize Operations Manager service account.

Integrating vRealize Log Insight alerts with vRealize Operations Manager allows you to view all information about your environment in a single user interface.

  • You must maintain the life cycle of this integration.

  • When using Workspace ONE Access, you must specify the user account in the user@domain@source format for the integration. source is the name of the Workspace ONE Access authentication source created in vRealize Operations Manager, svc-vrli-vrops@rainpole.io@WorkspaceONE.