Use content packs to have the logs generated from the management components in the SDDC retrieved, extracted, and parsed into a human-readable format. vRealize Log Insight saves log queries and alerts, and you can use dashboards for efficient monitoring. On the logging clients, you configure syslog and vRealize Log Insight agents.

For information about the logging sources for vRealize Log Insight in this design, see Deployment Model of vRealize Log Insight.

Content Packs

Table 1. vRealize Log Insight Content Packs in This VMware Validated Design

Content Pack

Installed by Default

General

VMware - vSphere

VMware - vSAN

VMware – vRealize Operations Manager

VMware – NSX-T Data Center

X

VMware - Linux

X

VMware - Linux Systemd

X

Table 2. Design Decisions on Content Packs for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO- LOG-020

Install the following content packs:

  • VMware - Linux

  • VMware - Linux Systemd

  • NSX-T Data Center

Provides additional granular monitoring on the virtual infrastructure.

The following content packs are installed by default in vRealize Log Insight:

  • VMware - vSphere

  • VMware - vSAN

  • VMware - vRealize Operations Manager

Requires installation and configuration of each non- default content pack.

SDDC-COM-CO- LOG-021

Configure the following agent groups that are related to content packs:

  • SDDC - Linux OS

  • SDDC - Photon OS

  • Provides a standardized configuration that is pushed to the all vRealize Log Insight Agents in each of the groups.

  • Supports collection according to the context of the applications and parsing of the logs generated from the SDDC components by the vRealize Log Insight agent such as specific log directories, log files, and logging formats.

Adds minimal load to vRealize Log Insight.

Logging Sources

Client applications can send logs to vRealize Log Insight in one of the following ways:

  • Directly to vRealize Log Insight using the syslog TCP, syslog TCP over TLS/SSL, or syslog UDP protocols

  • By using a vRealize Log Insight agent

  • By using vRealize Log Insight to query directly the vSphere Web Server APIs

  • By using a vRealize Log Insight user interface.

vRealize Log Insight collects log events from the following virtual infrastructure and cloud management components:

Table 3. vRealize Log Insight Logging Sources and Types

Logging Source

Logging Type

vCenter Server

Syslog

ESXi Hosts

Syslog

NSX-T Manager

Syslog

NSX-T Edge

Syslog

Workspace ONE Access

Agent

SDDC Manager

Agent

vRealize Suite Lifecycle Manager

Agent

vRealize Operations Manager

Agent

vRealize Automation

Fluentd Plug-in for vRealize Log Insight

Table 4. Design Decision on Logging Sources for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-COM-CO- LOG-022

Install and configure the vRealize Log Insight agent on each Workspace ONE Access node to send logs to a vRealize Log Insight cluster.

  • For the region-specific Workspace ONE Access instance, use the vRealize Log Insight agent from the corresponding regional vRealize Log Insight cluster.

  • For the cross-region Workspace ONE Access cluster, use the vRealize Log Insight agent from the vRealize Log Insight cluster in Region A.

Provides a standardized configuration that is pushed to the vRealize Log Insight agents for each Workspace ONE Access node.

Supports collection according to the context of the Workspace ONE Access using the vRealize Log Insight Ingestion API and parses of the logs by the vRealize Log Insight agent, such as specific log directories, log files, and logging formats.

None

SDDC-COM-CO- LOG-023

Configure the SDDC - Linux OS agent group in each vRealize Log Insight cluster to include all Workspace ONE Access nodes.

Provides a standardized configuration that is pushed to the vRealize Log Insight agents for each Workspace ONE Access appliance.

Supports collection according to the context of the Workspace ONE Access using the vRealize Log Insight ingestion API and parses of the logs by the vRealize Log Insight agent such as specific log directories, log files, and logging formats.

Adds minimal load to the vRealize Log Insight cluster.

SDDC-COM-CO- LOG-024

Configure syslog sources and vRealize Log Insight agents to send log data directly to the virtual IP (VIP) address of the vRealize Log Insight integrated load balancer (ILB).

  • Provides potential to scale-out without reconfiguring all log sources with a new destination address.

  • Simplifies the configuration of log sources in the SDDC.

  • You must configure the integrated load balancer on the vRealize Log Insight cluster.

  • You must configure logging sources to forward data to the vRealize Log Insight VIP.

SDDC-COM-CO- LOG-025

Configure all vCenter Server instances as direct syslog sources to send log data directly to vRealize Log Insight.

Simplifies configuration for log sources that are syslog-capable.

  • You must manually configure syslog sources to forward logs to the vRealize Log Insight VIP.

  • Certain dashboards in vRealize Log Insight require the use of the vRealize Log Insight agent for proper ingestion.

Not all operating system level events are forwarded to vRealize Log Insight.

SDDC-COM-CO- LOG-026

Configure the vRealize Log Insight agent on the SDDC Manager appliance.

Simplifies configuration of log sources in the SDDC that are pre-packaged with the vRealize Log Insight agent.

You must configure the vRealize Log Insight agent to forward logs to the vRealize Log Insight VIP.

SDDC-COM-CO- LOG-027

Configure the vRealize Log Insight agent on the vRealize Suite Lifecycle Manager appliance.

Simplifies configuration of log sources in the SDDC that are pre-packaged with the vRealize Log Insight agent.

You must configure the vRealize Log Insight agent to forward logs to the vRealize Log Insight VIP.

SDDC-COM-CO- LOG-028

Configure the Fluentd vRealize Log Insight plugin on the vRealize Automation appliance instances.

Enables the appliance and the containers to send logs to vRealize Log Insight.

You must configure the Fluentd vRealize Log Insight plugin to forward logs to the vRealize Log Insight VIP.

SDDC-COM-CO- LOG-029

Configure the vRealize Log Insight agent for the vRealize Operations Manager appliances including:

  • Analytics nodes

  • Remote Collector instances

Simplifies configuration of log sources in the SDDC that are prepackaged with the vRealize Log Insight agent.

You must configure the vRealize Log Insight agent to forward logs to the vRealize Log Insight VIP.

SDDC-COM-CO- LOG-030

Configure the NSX-T Data Center components as direct syslog sources for vRealize Log Insight including:

  • NSX-T Manager instances

  • NSX Edge Cluster Instances

Simplifies configuration of log sources in the SDDC that are syslog-capable.

  • You must manually configure syslog sources to forward logs to the vRealize Log Insight VIP.

  • Not all operating system- level events are forwarded to vRealize Log Insight.

SDDC-COM-CO- LOG-031

Communicate with the syslog clients, such as ESXi, vCenter Server, NSX-T Data Center, using the TCP protocol.

Using the TCP syslog protocol ensures reliability and supports retry mechanisms.

TCP syslog traffic is secure and more consistent with RFC 5424.

  • TCP has a higher performance overhead compared to UDP.

  • You must manually disable the SSL connection requirement in vRealize Log Insight.

SDDC-COM-CO- LOG-032

Do not configure vRealize Log Insight to update automatically all deployed agents.

Manually install updated versions of the Log Insight Agents for each of the specified components in the SDDC for precise maintenance.

You must maintain manually the vRealize Log Insight Agents on each of the SDDC components.

For information about the design decisions on the service account for vRealize Log Insight ingestion from vCenter Server, see Service Accounts for vRealize Log Insight.