The vRealize Log Insight design enables real-time logging for all components in the solution.

The vRealize Log Insight cluster consists of one primary node and two secondary nodes behind a load balancer.

Figure 1. Logical vRealize Log Insight Design
Logical vRealize Log Insight Design

Enable the Integrated Load Balancer (ILB) on the three-node cluster so that all log sources can address the cluster by its ILB. By using the ILB, you do not need to reconfigure log sources with a new destination address in case of a scale-out or node failure. The ILB also guarantees that vRealize Log Insight accepts all incoming ingestion traffic.

The ILB address is required for users to connect to vRealize Log Insight through the Web UI or API and for clients to ingest logs using syslog or the Ingestion API. A vRealize Log Insight cluster can scale out to 12 nodes: 1 primary and 11 worker nodes.

To accommodate all log data in the solution, size the compute resources and storage for the Log Insight nodes correctly.

By default, the vRealize Log Insight appliance uses the predefined values for small configurations: 4 vCPUs, 8 GB virtual memory, and 530.5 GB disk space. vRealize Log Insight uses 100 GB disk space to store raw data, index, metadata, and other information.

vRealize Log Insight supports the following alerts that trigger notifications about its health and the monitored solutions:

  • System Alerts: vRealize Log Insight generates notifications when an important system event occurs. For example, when the disk space is almost exhausted and vRealize Log Insight must start deleting or archiving old log files.

  • Content Pack Alerts: Content packs contain default alerts that can be configured to send notifications. These alerts are specific to the content pack and are disabled by default.

  • User-Defined Alerts: Administrators and users can define alerts based on the data ingested by vRealize Log Insight.

Table 1. Recommended vRealize Log Insight Design

Design Recommendation

Design Justification

Design Implication

Deploy vRealize Log Insight in a cluster configuration of three nodes with an integrated load balancer:

  • one primary node

  • two worker nodes

  • Provides high availability.

  • The integrated load balancer:

    • Prevents a single point of failure.

    • Simplifies the vRealize Log Insight deployment and subsequent integration.

    • Simplifies the vRealize Log Insight scale-out operations reducing the need to reconfigure existing logging sources.

  • You must deploy a minimum of three medium nodes.

  • You must size each node identically.

  • If the capacity of your vRealize Log Insight cluster must expand, identical capacity must be added to each node.

Deploy vRealize Log Insight nodes of medium size.

Accommodates the number of expected syslog and vRealize Log Insight Agent connections from the following sources:

  • Management and Compute vCenter Servers

  • Management and Compute ESXi hosts

  • NSX-T Components

  • vRealize Operations Manager components

  • VMware Integrated OpenStack

Using medium-size appliances ensures that the storage space for the vRealize Log Insight cluster is sufficient for 7 days of data retention.

If you configure vRealize Log Insight to monitor additional syslog sources, increase the size of the nodes.

Enable alerting over SMTP.

Administrators and operators can receive email alerts from vRealize Log Insight.

Requires access to an external SMTP server.

Forward alerts to vRealize Operations Manager.

Provides monitoring and alerting information that is pushed from vRealize Log Insight to vRealize Operations Manager for centralized administration.

None.