The vRealize Log Insight cluster consists of one primary node and two worker nodes behind a load balancer.

Deployment Type

You enable the integrated load balancer (ILB) on the three-node cluster so that all log sources can access the cluster by its ILB. When using the ILB, if there is a scale-out, it is not necessary to reconfigure all log sources with a new destination address. Using the ILB also guarantees that vRealize Log Insight accepts all incoming ingestion traffic.

vRealize Log Insight users accessing the Web user interface or API, and clients ingesting logs using syslog or the Ingestion API, connect to vRealize Log Insight by using the ILB address.

For isolation, you place the vRealize Log Insight on a specific virtual network segment.

In the design, you deploy the vRealize Log Insight nodes on the first vSphere cluster in the management domain in each region.

To accomplish the design objective of this design, you deploy or reuse the following components to deploy this operations management solution for the SDDC:

  • Cross-region vRealize Suite Lifecycle Manager

  • Region-specific Workspace ONE Access

  • Supporting infrastructure services, such as Active Directory, DNS, and NTP.

Table 1. Design Decisions on Deployment of vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO-LOG-001

Deploy vRealize Log Insight in a cluster configuration of three nodes with an integrated load balancer: one primary and two worker nodes, on the first cluster in the management domain.

  • Provides high availability.

  • Using the integrated load balancer prevents a single point of failure.

  • Using the integrated load balancer simplifies the vRealize Log Insight deployment and subsequent integration.

  • You must deploy a minimum of three medium nodes.

  • You must size all nodes identically.

  • If the capacity of your vRealize Log Insight cluster must expand, identical capacity must be added to each node.

SDDC-COM-CO-LOG-002

Deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager.

Allows vRealize Suite Lifecycle Manager the ability to provide life cycle management of vRealize Log Insight.

You must deploy vRealize Suite Lifecycle Manager.

SDDC-COM-CO-LOG-003

Protect all vRealize Log Insight nodes by using vSphere High Availability.

Supports the availability objectives for vRealize Log Insight without requiring manual intervention during a failure event

None

SDDC-COM-CO-LOG-004

Apply vSphere Distributed Resource Scheduler (DRS) anti-affinity rules to the vRealize Log Insight cluster nodes.

Using vSphere DRS prevents the vRealize Log Insight cluster nodes from running on the same ESXi host and risking the high availability of the cluster.

  • You must perform additional configuration to set up an anti- affinity rule.

  • You can put in maintenance mode only a single ESXi host at a time in a management cluster of four ESXi.

SDDC-COM-CO-LOG-005

When using two availability zones in Region A, add the vRealize Log Insight nodes to the primary availability zone VM group, sfo-m01-cl01_primary-az-vmgroup.

Ensures that, by default, the vRealize Log Insight virtual appliance is powered on within the primary availability zone hosts group.

If vRealize Log Insight is deployed after the creation of the stretched cluster for management domain availability zones, the VM Group for the primary availability zone virtual machines must be updated to include the vRealize Log Insight virtual appliances.

SDDC-COM-CO-LOG-006

Place the region-specific vRealize Log Insight nodes in a dedicated virtual machine folder in Region A, sfo-m01-fd-vrli.

Provides organization of the vRealize Log Insight nodes in the management domain inventory.

None.

Sizing Compute and Storage Resources

To provide enough resources to accommodate the logging operations of the management components of the SDDC, you size resources for vRealize Log Insight .

To accommodate log data from the products in the SDDC, you must correctly size the compute resources and storage for the Log Insight nodes. For a detailed sizing guidance, see the vRealize Log Insight sizing calculator at https://kb.vmware.com/s/article/60355.

By default, the vRealize Log Insight appliance uses the predefined values for medium configurations.

To collect and store log data from the SDDC management components and tenant workloads according to the objectives of this design, select the appropriate size for the vRealize Log Insight nodes.

Table 2. Compute Resources for a vRealize Log Insight Node

Attribute

Per Appliance

Cluster Deployment

Appliance size

Medium

Medium

CPU

8 vCPUs

24 vCPUs

Memory

16 GB

48 GB

Disk capacity

530 GB

1,590 GB

IOPS

1,000

Amount of processed log data when using log ingestion

75 GB/day of processing per node

Number of processed log messages

5,000 events/second of processing per node

Environment

Up to 250 syslog connections per node

Sizing is usually based on the organization requirements. This design provides calculations that are based on a single-region implementation.This sizing is calculated according to the following logging sources in the region:

Table 3. Logging Sources for vRealize Log Insight

Category

Logging Source

Management Domain

SDDC Manager Appliance

vCenter Server Appliance

ESXi hosts

NSX-T Manager instances

NSX-T Edge instances

Region-specific Workspace ONE Access

Workload Domain

vCenter Server Appliance

ESXi hosts

NSX-T Manager instances

NSX-T Edge instances

Solutions

Cross-region Workspace ONE Access nodes

vRealize Suite Lifecycle Manager appliance

vRealize Operations Manager nodes

vRealize Automation nodes

The expected number of logging sources requires approximately 160 GB of storage per node. Based on this example, the storage space that is allocated per medium-size vRealize Log Insight appliance is sufficient to monitor the SDDC.

Table 4. Design Decisions on Sizing of vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO-LOG-007

Deploy each node in the vRealize Log Insight cluster as a medium-size appliance.

Accommodates the expected approximately 200 syslog and vRealize Log Insight agent connections from the following sources:

  • Management domain vCenter Server and Workload domain vCenter Server instances

  • Management ESXi hosts, and shared edge and workload ESXi hosts

  • Management and workload components of NSX-T Data Center

  • Workload domain components of NSX-T Data Center

  • Region-specific Workspace ONE Access

  • Cross-region Workspace ONE Access

  • SDDC Manager

  • vRealize Suite Lifecycle Manager

  • vRealize Automation components

  • vRealize Operations Manager components

Using medium-size nodes ensures that the storage space for the vRealize Log Insight cluster is sufficient for 7 days of data retention.

You must increase the size of the nodes if you configure vRealize Log Insight to monitor additional syslog sources.