Configure archive and retention parameters of vRealize Log Insight according to the company policy for compliance and governance.

Each vRealize Log Insight virtual appliance has three default virtual disks and can use more virtual disks for storage.

Table 1. Virtual Disk Configuration in the vRealize Log Insight Virtual Appliance

Hard Disk

Size

Usage

Hard disk 1

20 GB

Root file system

Hard disk 2

510 GB for medium-size deployment

Contains two partitions:

  • /storage/var. System logs

  • /storage/core. Storage for collected logs

Hard disk 3

512 MB

First boot only

Calculate the storage space that is available for log data using the following equation:

/storage/core = hard disk 2 space - system logs space on hard disk 2

Based on the size of the default disk, the storage core is equal to 490 GB. If /storage/core is 490 GB, vRealize Log Insight can use 475 GB for retaining accessible logging data.

/storage/core = 510 GB - 20 GB = 490 GB
Retention = /storage/core – 3% * /storage/core
Retention = 490 GB - 3% * 490 ≈ 475 GB disk space per vRLI appliance

You can calculate retention time by using the following equations:

GB per vRLI Appliance per day = (Amount in GB of disk space used per day  / Number of vRLI appliances) * 1.7 indexing
Retention in days = 475 GB disk space per vRLI appliance / GB per vRLI Appliance per day

(42 GB of logging data ingested per day / 3 vRLI appliances) * 1.7 indexing ≈ 24 GB per vRLI Appliance per day
475 GB disk space per vRLI appliance / 24 GB per vRLI Appliance per Day ≈ 20 days of retention

Configure a retention period of 7 days for the small-size vRealize Log Insight appliance.

Table 2. Design Decision About Retention Period for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-OPS-LOG-005

Configure vRealize Log Insight to retain data for 7 days.

Accommodates logs from 85 syslog sources and vRealize Log Insight Agents as per the SDDC design.

None.

Archiving

You configure vRealize Log Insight to archive log data only if you must retain logs for an extended period for compliance, auditability, or a customer-specific reason.

Attribute of Log Archiving

Description

Archiving period

vRealize Log Insight archives log messages as soon as possible. At the same time, the logs are retained on the virtual appliance until the free local space is almost filled. Data exists on both the vRealize Log Insight appliance and the archive location for most of the retention period. The archiving period must be longer than the retention period.

Archive location

The archive location must be on an NFS version 3 shared storage. The archive location must be available and must have enough capacity to accommodate the archives.

Apply an archive policy of 90 days for the medium-size vRealize Log Insight appliance. The vRealize Log Insight clusters will each use approximately 250 GB of shared storage calculated via the following:

(Average Storage Utilization (GB) per Day sources * Days of Retention) / Number of vRLI appliances  ≈ Recommended Storage in GB
((((Recommended Storage Per Node * Number of vRLI appliances) / Days of Retention) * Days of Archiving) * 10%) ≈ Archiving to NFS in GB
 
((((190 GB * 1 vRLI appliance) / 7 Days of Retention) * 90 Days of Archiving) * 10%) ≈ 250 GB of NFS

According to the business compliance regulations of your organization, these sizes might change.

Table 3. Design Decision About Log Archive Policy for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-OPS-LOG-006

Provide 250 GB of NFS version 3 shared storage to the vRealize Log Insight instance.

Accommodates log archiving from 85 logging sources for 90 days.

  • You must manually maintain the vRealize Log Insight archive blobs stored on the NFS store, selectively cleaning the datastore as more space is required.

  • You must increase the size of the NFS shared storage if you configure vRealize Log Insight to monitor more logging sources or add more vRealize Log Insight workers are added.

  • You must enforce the archive policy directly on the shared storage.

  • If the NFS mount does not have enough free space or is unavailable for a period greater than the retention period of the virtual appliance, vRealize Log Insight stops ingesting new data until the NFS mount has enough free space, becomes available, or archiving is disabled.