As part of vRealize Log Insight configuration, you configure syslog and vRealize Log Insight agents.

Client applications can send logs to vRealize Log Insight in one of the following ways:

  • Directly to vRealize Log Insight using the syslog TCP, syslog TCP over TLS/SSL, or syslog UDP protocols

  • By using a vRealize Log Insight Agent

  • By using vRealize Log Insight to directly query the vSphere Web Server APIs

  • By using a vRealize Log Insight user interface

The following design decisions result.


Breaks in the design decision numbering are intentional and help keep numbering in sync across different VMware Validated Design use cases.

Table 1. Design Decisions about Direct Log Communication to vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication


Configure syslog sources and vRealize Log Insight Agents to send log data directly to the virtual IP (VIP) address of the vRealize Log Insight integrated load balancer (ILB).

  • Allows for future scale-out without reconfiguring all log sources with a new destination address.

  • Simplifies the configuration of log sources within the SDDC.

  • You must configure the Integrated Load Balancer on the vRealize Log Insight cluster.

  • You must configure logging sources to forward data to the vRealize Log Insight VIP.


Configure the NSX for vSphere components as direct syslog sources for vRealize Log Insight including:

  • NSX Manager

  • NSX Controllers

  • NSX Edge services gateways

Simplifies configuration of log sources within the SDDC that are syslog-capable.

  • You must manually configure syslog sources to forward logs to the vRealize Log Insight VIP.

  • Not all operating system-level events are forwarded to vRealize Log Insight.


Configure vCenter Server Appliance instances and Platform Services Controller appliances as direct syslog sources to send log data directly to vRealize Log Insight.

Simplifies configuration for log sources that are syslog-capable.

  • You must manually configure syslog sources to forward logs to the vRealize Log Insight VIP.

  • Certain dashboards in vRealize Log Insight require the use of the vRealize Log Insight Agent for proper ingestion.

  • Not all operating system level events are forwarded to vRealize Log Insight.


Configure vRealize Log Insight to ingest events, tasks, and alarms from the Management vCenter Server and Compute vCenter Server instances.

Ensures that all tasks, events and alarms generated across all vCenter Server instances in a specific region of the SDDC are captured and analyzed for the administrator.

  • You must create a service account on vCenter Server to connect vRealize Log Insight for events, tasks, and alarms pulling.

  • Configuring vSphere Integration within vRealize Log Insight does not capture events that occur on the Platform Services Controller.


Communicate with the syslog clients, such as ESXi, vCenter Server, NSX for vSphere, using the default syslog UDP protocol.

  • Using the default UDP syslog protocol simplifies configuration for all syslog sources.

  • UDP syslog protocol is the most common logging protocol that is available across products.

  • UDP has a lower performance overhead compared to TCP.

  • If the network connection is interrupted, the syslog traffic is lost.

  • UDP syslog traffic is not secure.

  • UDP syslog protocol does not support reliability and retry mechanisms.


Include the syslog configuration for vRealize Log Insight in the host profile for the following clusters:

  • Management cluster

  • Shared edge and compute cluster

  • Any additional compute cluster

Simplifies the configuration of the hosts in the cluster and ensures that settings are uniform across the cluster.

Every time you make an authorized change to a host regarding the syslog configuration you must update the host profile to reflect the change or the status will show non-compliant.


Do not configure vRealize Log Insight to automatically update all deployed agents.

Manually install updated versions of the Log Insight agents for each of the specified components within the SDDC for precise maintenance.

You must manually maintain the vRealize Log Insight agents on each of the SDDC components.