You can deploy vRealize Log Insight with a single node, single cluster, or cluster with forwarders.
A basic vRealize Log Insight configuration includes a single node. The log sources are applications, OS logs, virtual machine logs, hosts, the vCenter Server, virtual or physical switches and routers, storage hardware, etc. Log streams are transported to the vRealize Log Insight node using syslog (UDP, TCP, TCP+SSL) or CFAPI (the vRealize Log Insight native ingestion protocol over HTTP or HTTPS), either directly by an application, syslog concentrator, or the vRealize Log Insight agent installed on the source.
A vRealize Log Insight single cluster configuration includes 3 to 12 nodes leveraging the Integrated Load Balancer (ILB). A single log message is only present in one location within the cluster. The cluster remains up and available to ingest data and serve queries during the temporary unavailability of any single node results in the cluster. Removal and reintroduction of a cluster node is not supported.
Cluster with forwarders
A vRealize Log Insight cluster with forwarders configuration includes main indexing, storage, and a query cluster of 3-12 nodes leveraging the ILB. A single log message is only present in one location within the main cluster, as in the single cluster.
The design is extended through the addition of multiple forwarder clusters at remote sites or clusters. Each forwarder cluster is configured to forward all of its log messages to the main cluster and users connect to the main cluster, taking advantage of CFAPI for compression and resilience on the forwarding path. Forwarder clusters configured as top-of-rack may be configured with a larger local retention.
Cross-forwarding central for redundancy
This vRealize Log Insight deployment scenario includes a cluster with forwarder that is extended and mirrored. Two main clusters are used for indexing, storage, and query. One main cluster is in each datacenter; each is front-ended with a pair of dedicated forwarder clusters. All log sources from all top-of-rack aggregations concentrate at the forwarder clusters. You can independently query the same logs on both retention clusters.