ILA-VAOL-CFG-001

Deploy a three node VMware Aria Operations for Logs cluster - one primary and two worker nodes with an integrated load balancer, in the default management vSphere cluster.

• Provides high availability.

• Using the integrated load balancer prevents a single point of failure.

• Using the integrated load balancer simplifies the VMware Aria Operations for Logs deployment and subsequent integration.

• You must deploy a minimum of three medium-size nodes.

• You must size all nodes identically.

• If the capacity of your VMware Aria Operations for Logs cluster must expand, identical capacity must be added to each node.

ILA-VAOL-CFG-002

To deploy VMware Aria Operations for Logs, use the VMware Aria Suite Lifecycle instance in the corresponding VMware Cloud Foundation instance.

VMware Aria Operations for Logs product binary is downloaded directly to VMware Aria Suite Lifecycle in VMware Cloud Foundation mode.

You must deploy VMware Aria Suite Lifecycle in each VMware Cloud Foundation instance.

ILA-VAOL-CFG-003

Protect all VMware Aria Operations for Logs cluster nodes by using vSphere High Availability.

Supports the availability objectives for VMware Aria Operations for Logs without requiring manual intervention during an ESXi host failure event.

None.

ILA-VAOL-CFG-004

Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the VMware Aria Operations for Logs cluster virtual machines.

Using vSphere DRS prevents the VMware Aria Operations for Logs cluster virtual machines from running on the same ESXi host and risking the high availability of the cluster.

• You must perform additional configuration to set up an anti- affinity rule.

• For a default management vSphere cluster that consists of four ESXi hosts, only a single ESXi host can enter maintenance mode at the same time.

ILA-VAOL-CFG-005

Place the VMware Aria Operations for Logs cluster virtual machines in a dedicated virtual machine folder.

Provides an organization of the VMware Aria Operations for Logs nodes in the management domain inventory.

You must create the virtual machine folder.

ILA-VAOL-CFG-006

When using two availability zones, add the VMware Aria Operations for Logs cluster virtual machines to the first availability zone VM group.

Ensures that, by default, the VMware Aria Operations for Logs cluster virtual machines are powered on within the first availability zone hosts group.

If VMware Aria Operations for Logs is deployed after the creation of the stretched cluster for management domain availability zones, the VM group for the first availability zone virtual machines must be updated to include the VMware Aria Operations for Logs cluster nodes.

ILA-VAOL-CFG-007

In an environment with multiple VMware Cloud Foundation instances, deploy a three node VMware Aria Operations for Logs cluster the default management vSphere cluster in each VMware Cloud Foundation instance.

Provides a local VMware Aria Operations for Logs infrastructure to each VMware Cloud Foundation instance for both availability, scale and performance reasons.

You must deploy VMware Aria Suite Lifecycle in each VMware Cloud Foundation instance.

ILA-VAOL-CFG-008

In an environment with multiple VMware Cloud Foundation instances, place the VMware Aria Operations for Logs cluster virtual machines in each instance in a dedicated virtual machine folder.

Provides an organization of the VMware Aria Operations for Logs cluster nodes in the management domain inventory.

You must create the virtual machine folder.

ILA-VAOL-CFG-009

Deploy each node in the VMware Aria Operations for Logs cluster as a medium-size appliance.

• Accommodates the expected approximately 200 syslog and VMware Aria Operations for Logs agent connections.

• Using medium-size nodes ensures that the storage space for the VMware Aria Operations for Logs cluster is sufficient for seven days of data retention.

You must scale-up the appliance size of the VMware Aria Operations for Logs nodes if the number of log sources exceeds the connection threshold for a medium-sized appliance.

ILA-VAOL-CFG-010

Configure a retention period for the medium-size VMware Aria Operations for Logs appliance according to the design objectives.

Accommodates logs from the expected number of logging sources in this SDDC design.

None.

ILA-VAOL-CFG-011

Apply an archive policy for the medium-size VMware Aria Operations for Logs appliance according to the design objectives.

Accommodates historical logs according to the design objectives.

You must provide enough shared storage space in each VMware Cloud Foundation instance for log archival according to the design objectives.

ILA-VAOL-CFG-012

Provide an NFS version 3 shared storage to the VMware Aria Operations for Logs cluster in each VMware Cloud Foundation instance according to the design objectives.

Accommodates log archiving according to the design objectives.

• You must maintain the VMware Aria Operations for Logs archive data blobs stored on the NFS shared storage, selectively cleaning the datastore when more space is required.

• If you configure more logging sources to send logs to VMware Aria Operations for Logs or if you add VMware Aria Operations for Logs worker nodes , you must increase the size of the NFS shared storage.

• You must enforce the archive policy directly on the shared storage.

• If the NFS mount does not have enough free space or is unavailable for a period greater than the retention period of the appliance, VMware Aria Operations for Logs stops ingesting new data until the NFS mount has enough free space, becomes available, or archiving is deactivated.

• When using two availability zones, ensure that the NFS share is available in both availability zones.

ILA-VAOL-CFG-013

Configure alert notifications.

Activates alerts from VMware Aria Operations for Logs sent to administrators and operators.

If using email for notifications, you must configure the SMTP server settings in VMware Aria Operations for Logs.

ILA-VAOL-NET-001

Place the VMware Aria Operations for Logs cluster nodes on the local-instance NSX network segment.

Provides a consistent deployment model for management applications.

You must use an implementation in NSX to support this networking configuration.

ILA-VAOL-NET-002

Allocate statically assigned IP addresses from the local-instance NSX segment to the VMware Aria Operations for Logs cluster nodes and the integrated load balancer (ILB).

Ensures stability across the SDDC and makes it simpler to maintain and easier to track.

Requires precise IP address management.

ILA-VAOL-NET-004

Configure forward and reverse DNS records for all VMware Aria Operations for Logs cluster nodes and the integrated load balancer (ILB) VIP address.

All nodes are accessible by using fully qualified domain names instead of by using IP addresses only.

You must provide DNS records for the VMware Aria Operations for Logs nodes.

ILA-VAOL-NET-005

Enable the VMware Aria Operations for Logs integrated load balancer (ILB) for balancing incoming traffic.

Supports balancing ingestion traffic among the VMware Aria Operations for Logs nodes and high availability.

You must provide an extra IP address and FQDN for the integrated load balancer (ILB).

ILA-VAOL-NET-006

Configure NTP on each VMware Aria Operations for Logs cluster node.

VMware Aria Operations for Logs depends on time synchronization.

None.

ILA-VAOL-LCM-001

Use VMware Aria Suite Lifecycle to perform the life cycle management of VMware Aria Operations for Logs in each VMware Cloud Foundation instance.

VMware Aria Suite Lifecycle manages the product binaries and VMware Aria Operations for Logs upgrades.

• You must deploy VMware Aria Suite Lifecycle by using SDDC Manager.

• VMware Aria Suite Lifecycle manages patches, updates, and hot fixes for VMware Aria Operations for Logs.

ILA-VAOL-CFG-014

Install the following content packs:

• Linux - Systemd

• VMware - NSX

• VMware-Aria-Suite-Lifecycle-8.12+

• VMware Workspace ONE Access

Provides additional granular monitoring on the virtual infrastructure.

The following content packs are installed by default in VMware Aria Operations for Logs:

• VMware - vSphere

• VMware - vSAN

The following content packs are installed automatically by SDDC Manager.

• Linux - Systemd

• VMware - NSX

• VMware - VMware-Aria-Suite-Lifecycle-8.12+

You must manually install the VMware Workspace ONE Access content pack.

ILA-VAOL-CFG-015

Configure the following agent groups that are related to content packs:

• VMware Aria Suite Lifecycle

• Photon OS

• Workspace ONE Access

• Provides a standardized configuration that is pushed to all VMware Aria Operations for Logs agents in each of the groups.

• Supports collection according to the context of the applications and parsing of the logs generated from the SDDC components by the VMware Aria Operations for Logs agent, such as specific log directories, log files, and logging formats.

• SDDC Manager creates the vRSLCM agent group.

Adds minimal load to VMware Aria Operations for Logs.

ILA-VAOL-CFG-016

Connect VMware Cloud Foundation VI workload domains to VMware Aria Operations for Logs by using SDDC Manager.

SDDC Manager automatically adds the VI workload domain vCenter Server and ESXi hosts to VMware Aria Operations for Logs.

None.

ILA-VAOL-CFG-017

Install and configure the VMware Aria Operations for Logs agent on the clustered Workspace ONE Access nodes to send logs to the VMware Aria Operations for Logs cluster in their corresponding VMware Cloud Foundation instance.

Provides a standardized configuration that is pushed to the VMware Aria Operations for Logs agents for each Workspace ONE Access node.

Supports collection according to the context of the Workspace ONE Access using the VMware Aria Operations for Logs Ingestion API and parses of the logs by the VMware Aria Operations for Logs agent, such as specific log directories, log files, and logging formats.

None.

ILA-VAOL-CFG-018

Configure the SDDC - Workspace ONE Access and SDDC - Photon OS agent groups in the VMware Aria Operations for Logs cluster to include the clustered Workspace ONE Access nodes.

Provides a standardized configuration that is pushed to the VMware Aria Operations for Logs agents for each Workspace ONE Access appliance.

Supports collection according to the context of the Workspace ONE Access using the VMware Aria Operations for Logs ingestion API and parses of the logs by the VMware Aria Operations for Logs agent, such as specific log directories, log files, and logging formats.

Adds minimal load to the VMware Aria Operations for Logs cluster.

ILA-VAOL-CFG-019

Configure logging sources and VMware Aria Operations for Logs agents to send log data to the FQDN of the VMware Aria Operations for Logs integrated load balancer (ILB).

• Ensures proper communication configuration - VMware Aria Operations for Logs can resolve the FQDN to the ILB IP address.

• Provides potential to scale-out without reconfiguring all log sources with a new destination address.

• Simplifies the configuration of log sources in the SDDC.

• You must enable the integrated load balancer on the VMware Aria Operations for Logs cluster.

• You must configure valid DNS forward (A) and reverse (PTR) record for the integrated load balancer VIP.

ILA-VAOL-CFG-020

Configure all vCenter Server instances as syslog sources to send log data directly to VMware Aria Operations for Logs in their corresponding VMware Cloud Foundation instance.

Simplifies configuration for log sources that are syslog-capable.

The configuration is performed by SDDC Manager

• Certain dashboards in VMware Aria Operations for Logs require the use of the VMware Aria Operations for Logs agent for proper ingestion.

• Not all operating system level events are forwarded to VMware Aria Operations for Logs.

ILA-VAOL-CFG-021

Configure the VMware Aria Operations for Logs agent on the SDDC Manager appliance in each VMware Cloud Foundation instance to forward logs to the local VMware Aria Operations for Logs instance.

Ensures relevant logs are sent to VMware Aria Operations for Logs from SDDC Manager.

The integration is performed automatically by SDDC Manager.

None.

ILA-VAOL-CFG-022

Configure the VMware Aria Operations for Logs agent on the VMware Aria Suite Lifecycle appliance to forward logs to VMware Aria Operations for Logs in its corresponding VMware Cloud Foundation instance.

Simplifies configuration of log sources in the SDDC that are pre-packaged with the VMware Aria Operations for Logs agent.

The integration is performed automatically by SDDC Manager.

None.

ILA-VAOL-CFG-023

Configure the NSX components as syslog sources for VMware Aria Operations for Logs in their corresponding VMware Cloud Foundation instance, including:

• NSX Manager instances

• NSX Edge instances

Simplifies configuration of log sources in the SDDC that are syslog-capable.

NSX Manager instances are configured by SDDC Manager.

• You must configure NSX components to forward logs to the VMware Aria Operations for Logs VIP.

• Not all operating system-level events are forwarded to VMware Aria Operations for Logs.

• You must manually configure NSX Edge instances.

ILA-VAOL-CFG-024

Configure the logging sources, such as ESXi, vCenter Server, and NSX to communicate with VMware Aria Operations for Logs, using the TCP protocol.

Using the TCP syslog protocol ensures reliability and supports retry mechanisms.

TCP syslog traffic is secure and more consistent with RFC 5424.

• TCP has a higher performance overhead compared to UDP.

• You must manually deactivate the SSL connection requirement in VMware Aria Operations for Logs.

ILA-VAOL-CFG-025

Do not configure VMware Aria Operations for Logs to automatically update all deployed agents.

Individually update the versions of the VMware Aria Operations for Logs agents for each of the specified components in the SDDC for precise maintenance.

You must maintain manually the VMware Aria Operations for Logs agents on each of the SDDC components.

ILA-VAOL-CFG-026

In an environment with multiple VMware Cloud Foundation instances, forward logs to the other instance by using the Ingestion API.

Supports the following operations:

• Structured and unstructured data for client-side compression

• Log throttling from one VMware Aria Operations for Logs cluster to another.

In the event of a cross-instance outage, the administrator has access to all logs from the two VMware Cloud Foundation instances although one of the instances is offline.

• You must configure each VMware Aria Operations for Logs cluster to forward log data to the cluster in the other VMware Cloud Foundation instance. The configuration introduces administrative overhead to prevent recursion of logging between instances using inclusion and exclusion tagging.

• Log forwarding adds load to each instance. You must consider log forwarding in the sizing calculations for the VMware Aria Operations for Logs cluster in each instance.

• You must configure identical size on both source and destination clusters.

ILA-VAOL-CFG-027

In an environment with multiple VMware Cloud Foundation instances, configure log forwarding to use SSL on port 9543.

Ensures that the log forward operations between instances are secure.

• You must set up a custom CA- signed SSL certificate.

  Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default.

• If you add VMware Aria Operations for Logs nodes to a cluster, the SSL certificate used by the VMware Aria Operations for Logs cluster in the other VMware Cloud Foundation instance must be installed in the Java keystore of all nodes before SSL can be used.

ILA-VAOL-SEC-001

Activate VMware Aria Operations for Logs integration with your identity source by using the the Active Directory over LDAP.

Allows authentication to VMware Aria Operations for Logs using your identity source.

Allows authorization through the assignment of roles to enterprise users and groups defined in your identity source.

None.

ILA-VAOL-SEC-002

Create a security group in your directory services for VMware Aria Operations for Logs administrators and assign the Super Admin role to the group.

Streamlines the management of VMware Aria Operations for Logs roles for users.

Provides the following access control features:

• Access to VMware Aria Operations for Logs administration is granted to a managed set of individuals that are members of the security group.

• You can introduce improved accountability and tracking organization owner access to VMware Aria Operations for Logs.

You must create the security group outside of the SDDC stack.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

ILA-VAOL-SEC-003

Create a security group in your directory services for VMware Aria Operations for Logs users and assign the User role to the group.

Streamlines the management of VMware Aria Operations for Logs roles for users.

Provides the following access control features:

• Access to the VMware Aria Operations for Logs user interface is granted to a managed set of individuals that are members of the security group.

• You can introduce improved accountability and tracking organization owner access to VMware Aria Operations for Logs.

You must create the security group outside of the SDDC stack.

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

ILA-VAOL-SEC-004

Create a security group in your directory services for VMware Aria Operations for Logs viewers and assign the View Only Admin role to the group.

Streamlines the management of VMware Aria Operations for Logs roles for users.

Provides the following access control features:

• Access to the VMware Aria Operations for Logs user interface is granted to a managed set of individuals that are members of the security group.

• You can introduce improved accountability and tracking organization owner access to VMware Aria Operations for Logs.

• You must create the security group outside of the SDDC stack.

• You must maintain the life cycle and availability of the security group outside of the SDDC stack.

ILA-VAOL-SEC-005

Configure the password expiration policy for each VMware Aria Operations for Logs appliance.

• You configure the password expiration policy for the VMware Aria Operations for Logs appliance to align with the requirements of your organization which might be based on industry compliance standards.

• The policy is applicable only to the local VMware Aria Operations for Logs appliance users.

You can manage the password expiration policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or ssh client.

ILA-VAOL-SEC-006

Configure the password complexity policy for the VMware Aria Operations for Logs appliance.

• You configure the password complexity policy for VMware Aria Operations for Logs to align with the requirements of your organization which might be based on industry compliance standards.

• The policy is applicable only to the local VMware Aria Operations for Logs users.

You can manage the password complexity policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or a Secure Shell (SSH) client.

ILA-VAOL-SEC-007

Configure the account lockout policy for each VMware Aria Operations for Logs appliance.

• You configure the account lockout policy for VMware Aria Operations for Logs to align with the requirements of your organization which might be based on industry compliance standards.

• The policy is applicable only to the local VMware Aria Operations for Logs appliance users.

You can manage the account lockout policy on the VMware Aria Operations for Logs appliance by using the virtual appliance console or a Secure Shell (SSH) client.

ILA-VAOL-SEC-008

Change the VMware Aria Operations for Logsroot password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.

• By default, the password for the VMware Aria Operations for Logsroot account expires every 365 days.

• When VMware Aria Operations for Logs is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the root password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.

By using SDDC Manager, you manage the password change or automated password rotation schedule for the VMware Aria Operations for Logsroot account in accordance with your organizational policies and regulatory standards.

ILA-VAOL-SEC-009

Change the VMware Aria Operations for Logsadmin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API.

When VMware Aria Operations for Logs is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the admin password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.

You must routinely perform the password change for the admin account by using the SDDC Manager UI or API.

ILA-VAOL-SEC-010

Use a CA-signed certificate containing the VMware Aria Operations for Logs cluster node FQDNs, and the ILB FQDN in the SAN attributes, when deploying VMware Aria Operations for Logs in each VMware Cloud Foundation instance.

Configuring a CA-signed certificate ensures that the communication to the externally facing UI and API for VMware Aria Operations for Logs, and cross-product, is encrypted.

Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered.

ILA-VAOL-SEC-011

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

ILA-VAOL-MON-001

Forward alerts to VMware Aria Operations.

Provides monitoring and alerting information that is pushed from VMware Aria Operations for Logs to VMware Aria Operations for centralized administration.

None.

ILA-VAOL-MON-002

Support launch in context with VMware Aria Operations.

Provides access to VMware Aria Operations for Logs for context-based monitoring of an object in VMware Aria Operations.

You can register only one VMware Aria Operations for Logs cluster with VMware Aria Operations for launch in context at a time.

ILA-VAOL-MON-003

Configure the VMware Aria Operations for Logs integration in VMware Aria Operations.

• Activates the Logs tab in VMware Aria Operations.

• Activates Troubleshoot with the Logs dashboard.

• Activates VMware Aria Operations for Logs launch in context from VMware Aria Operations.

You can register only one VMware Aria Operations for Logs cluster with VMware Aria Operations at a time.

You must manage the password life cycle of this endpoint.

ILA-VAOL-MON-004

Configure the VMware Aria Operations for Logs adapter to use the local-instance collector group.

• Local-instance components are configured to use the local collector group.

• Offloads data collection for local management components from the analytics cluster.

None.

ILA-VAOL-MON-005

Add a Ping adapter for the VMware Aria Operations for Logs cluster.

Provides metrics on the availability of the VMware Aria Operations for Logs cluster.

You must add the adapter instances manually.

ILA-VAOL-MON-006

Configure the Ping adapter to use the local-instance collector group.

• Local-instance components are configured to use the local collector group.

• Offloads data collection for local management components from the analytics cluster.

None.

ILA-VAOL-MON-007

In VMware Aria Operations, add an application-to-application service account, for VMware Aria Operations for Logs Integration. Assign this user the default Administrator role.

Establishes integration between VMware Aria Operations for Logs and VMware Aria Operations.

You must maintain the life cycle and availability of the service account outside of the SDDC stack.

ILA-VAOL-MON-008

Activate VMware Aria Operations integration in VMware Aria Operations for Logs using the VMware Aria Operations service account.

Integrating VMware Aria Operations for Logs alerts with VMware Aria Operations allows you to view all information about your environment in a single user interface.

• You must maintain the life cycle of this integration.

• When using Workspace ONE Access, you must specify the user account in the user@domain@source format for the integration. source is the name of the Workspace ONE Access authentication source created in VMware Aria Operations, [email protected]@WorkspaceONE.