The vRealize Log Insight design activates real-time logging for all components in the solution.
The vRealize Log Insight cluster consists of one primary node and two secondary nodes behind a load balancer.
Configure the Integrated Load Balancer (ILB) on the three-node cluster so that all log sources can address the cluster by its ILB. By using the ILB, you do not need to reconfigure log sources with a new destination address in case of a scale-out or node failure. The ILB also guarantees that vRealize Log Insight accepts all incoming ingestion traffic.
The ILB address is required for users to connect to vRealize Log Insight through the Web UI or API and for clients to ingest logs using syslog or the Ingestion API. A vRealize Log Insight cluster can scale out to 12 nodes: 1 primary and 11 worker nodes.
To accommodate all log data in the solution, size the compute resources and storage for the Log Insight nodes correctly.
By default, the vRealize Log Insight appliance uses the predefined values for small configurations: 4 vCPUs, 8 GB virtual memory, and 530.5 GB disk space. vRealize Log Insight uses 100 GB disk space to store raw data, index, metadata, and other information.
vRealize Log Insight supports the following alerts that trigger notifications about its health and the monitored solutions:
System Alerts: vRealize Log Insight generates notifications when an important system event occurs. For example, when the disk space is almost exhausted and vRealize Log Insight must start deleting or archiving old log files.
Content Pack Alerts: Content packs contain default alerts that can be configured to send notifications. These alerts are specific to the content pack and are deactivated by default.
User-Defined Alerts: Administrators and users can define alerts based on the data ingested by vRealize Log Insight.
Design Recommendation |
Design Justification |
Design Implication |
---|---|---|
Deploy vRealize Log Insight in a cluster configuration of three nodes with an integrated load balancer:
|
|
|
Deploy vRealize Log Insight nodes of medium size. |
Accommodates the number of expected syslog and vRealize Log Insight Agent connections from the following sources:
Using medium-size appliances ensures that the storage space for the vRealize Log Insight cluster is sufficient for 7 days of data retention. |
If you configure vRealize Log Insight to monitor additional syslog sources, increase the size of the nodes. |
Activate alerting over SMTP. |
Administrators and operators can receive email alerts from vRealize Log Insight. |
Requires access to an external SMTP server. |
Forward alerts to vRealize Operations. |
Provides monitoring and alerting information that is pushed from vRealize Log Insight to vRealize Operations for centralized administration. |
None. |