vRealize Log Insight uses specific required services, ports, and external interfaces.

Communication Ports

vRealize Log Insight uses the communication ports and protocols listed in this topic. The required ports are organized based on whether they are required for sources, for the user interface, between clusters, for external services, or whether they can be safely blocked by a firewall. Some ports are used only if you enable the corresponding integration.

Note:

vRealize Log Insight does not support WAN clustering (also called geoclustering, high-availability clustering, or remote clustering). All nodes in the cluster should be deployed in the same Layer 2 LAN. In addition, the ports described in this section must be opened between nodes for proper communication.

vRealize Log Insight network traffic has several sources.

Admin workstation

The machine that a system administrator uses to manage the vRealize Log Insight virtual appliance remotely.

User workstation

The machine on which a vRealize Log Insight user uses a browser to access the Web interface of vRealize Log Insight.

System sending logs

The endpoint that sends logs to vRealize Log Insight for analysis and search. For example, endpoints include ESXi hosts, virtuals machines or any system with an IP address.

Log Insight Agents

The agent that resides on a Windows or Linux machine and sends operating system events and logs to vRealize Log Insight over APIs.

vRealize Log Insight appliance

Any vRealize Log Insight virtual appliance, master or worker, where the vRealize Log Insight services reside. The base operating system of the appliance is SUSE 11 SP3.

Ports Required for Sources Sending Data

The following ports need to be open to network traffic from sources that send data to vRealize Log Insight, both for connections from outside the cluster and connections load-balanced between cluster nodes.

Source

Destination

Port

Protocol

Service Description

System sending logs

vRealize Log Insight appliance

514

TCP, UDP

Outbound syslog traffic configured as a Forwarder destination

System sending logs

vRealize Log Insight appliance

1514, 6514

TCP

Syslog data over SSL

vRealize Log Insight Agents

vRealize Log Insight appliance

9000

TCP

Log Insight Ingestion API

vRealize Log Insight Agents

vRealize Log Insight appliance

9543

TCP

Log Insight Ingestion API over SSL

Ports Required for the User Interface

The following ports need to be open to network traffic that needs to use the vRealize Log Insight user interface, both for connections outside the cluster and connections load-balanced between cluster nodes.

Source

Destination

Port

Protocol

Service Description

Admin workstation

vRealize Log Insight appliance

22

TCP

SSH: Secure Shell connectivity

User workstation

vRealize Log Insight appliance

80

TCP

HTTP: Web interface

User workstation

vRealize Log Insight appliance

443

TCP

HTTPS: Web interface

Ports Required Between Cluster Nodes

The following ports should only be open on a vRealize Log Insight master node for network access from worker nodes for maximum security. These are in addition to those ports used for sources and UI traffic that are load-balanced between cluster nodes.

Source

Destination

Port

Protocol

Service Description

vRealize Log Insight appliance

vRealize Log Insight appliance

7000

TCP

Cassandra replication and query

vRealize Log Insight appliance

vRealize Log Insight appliance

9042

TCP

Cassandra service for native protocol clients

vRealize Log Insight appliance

vRealize Log Insight appliance

9160

TCP

Cassandra service for Thrift clients

vRealize Log Insight appliance

vRealize Log Insight appliance

59778, 16520-16580

TCP

vRealize Log Insight Thrift service

Ports Required for External Services

The following ports must be open for outbound networj traffic from vRealize Log Insight cluster nodes to remote services.

Source

Destination

Port

Protocol

Service Description

vRealize Log Insight appliance

NTP server

123

UDP

NTPD: Provides NTP time synchronization

Note:

The port is open only if you choose to use NTP time synchronization

vRealize Log Insight appliance

Mail Server

25

TCP

SMTP: mail service for outbound alerts

vRealize Log Insight appliance

Mail Server

465

TCP

SMTPS: mail service over SSL for outbound alerts

vRealize Log Insight appliance

DNS server

53

TCP, UDP

DNS: name resolution service

vRealize Log Insight appliance

AD server

389

TCP, UDP

Active Directory

vRealize Log Insight appliance

AD server

636

TCP

Active Directory over SSL

vRealize Log Insight appliance

AD server

3268

TCP

Active Directory Global Catalog

vRealize Log Insight appliance

AD server

3269

TCP

Active Directory Global Catalog SSL

vRealize Log Insight appliance

AD server

88

TCP, UDP

Kerberos

vRealize Log Insight appliance

vCenter Server

443

TCP

vCenter Server Web Service

vRealize Log Insight appliance

vRealize Operations Manager appliance

443

TCP

vRealize Operations Web service

vRealize Log Insight appliance

Third-party log manager

514

TCP,UDP

syslog data

vRealize Log Insight appliance

Third-party log manager

9000

CFAPI

Outbound Log Insight Ingestion API (CFAPI) traffic configured as a Forwarder destination

vRealize Log Insight appliance

Third-party log manager

9543

CFAPI

Outbound Log Insight Ingestion API (CFAPI) traffic configured as a Forwarder destination with encryption (SSL/TLS)

Ports That Can be Blocked

The following ports are open but not used by vRealize Log Insight. These ports can be safely blocked by a firewall.

Destination

Port

Protocol

Service Description

vRealize Log Insight appliance

111

TCP, UDP

RPCbind service that converts RPC program numbers into universal addresses

vRealize Log Insight appliance Tomcat service

9007

TCP

Tomcat services