vRealize Log Insight uses specific required services, ports, and external interfaces.

For information about the ports and protocols of vRealize Log Insight, see VMware Ports and Protocols.

Communication Ports

vRealize Log Insight uses the communication ports and protocols listed in this topic. The required ports are organized based on whether they are required for sources, for the user interface, between clusters, for external services, or whether they can be safely blocked by a firewall. Some ports are used only if you enable the corresponding integration.

Note: vRealize Log Insight does not support WAN clustering (also called geo-clustering, high-availability clustering, or remote clustering). All nodes in the cluster should be deployed in the same Layer 2 LAN. In addition, the ports described in this section must be opened between nodes for proper communication.
vRealize Log Insight network traffic has several sources.
Admin Workstation
The machine that a system administrator uses to manage the vRealize Log Insight virtual appliance remotely.
User Workstation
The machine on which a vRealize Log Insight user uses a browser to access the Web interface of vRealize Log Insight.
System sending logs
The endpoint that sends logs to vRealize Log Insight for analysis and search. For example, endpoints include ESXi hosts, virtual machines or any system with an IP address.
Log Insight Agents
The agent that resides on a Windows or Linux machine and sends operating system events and logs to vRealize Log Insight over APIs.
vRealize Log Insight appliance
Any vRealize Log Insight virtual appliance, master or worker, where the vRealize Log Insight services reside. The base operating system of the appliance is SUSE 11 SP3.

Ports Required for Sources Sending Data

The following ports must be open to network traffic from sources that send data to vRealize Log Insight, both for connections from outside the cluster and connections load-balanced between cluster nodes.

Source Destination Port Protocol Service Description
System sending logs vRealize Log Insight appliance 514 TCP, UDP Outbound syslog traffic configured as a Forwarder destination
System sending logs vRealize Log Insight appliance 1514, 6514 TCP Syslog data over SSL
vRealize Log Insight Agents vRealize Log Insight appliance 9000 TCP Log Insight Ingestion API
vRealize Log Insight Agents vRealize Log Insight appliance 9543 TCP Log Insight Ingestion API over SSL

Ports Required for the User Interface

The following ports must be open to network traffic that needs to use the vRealize Log Insight user interface, both for connections outside the cluster and connections load-balanced between cluster nodes.

Source Destination Port Protocol Service Description
Admin Workstation vRealize Log Insight appliance 22 TCP SSH: Secure Shell connectivity
User Workstation vRealize Log Insight appliance 80 TCP HTTP: Web interface
User Workstation vRealize Log Insight appliance 443 TCP HTTPS: Web interface

Ports Required Between Cluster Nodes

The following ports should only be open on a vRealize Log Insight master node for network access from worker nodes for maximum security. These ports are in addition to those ports used for sources and UI traffic that are load-balanced between cluster nodes.

Source Destination Port Protocol Service Description
vRealize Log Insight appliance vRealize Log Insight appliance 7000 TCP Cassandra replication and query
vRealize Log Insight appliance vRealize Log Insight appliance 9042 TCP Cassandra service for native protocol clients
vRealize Log Insight appliance vRealize Log Insight appliance 59778, 16520–16580 TCP vRealize Log Insight Thrift service

Ports Required for External Services

The following ports must be open for outbound network traffic from vRealize Log Insight cluster nodes to remote services.

Source Destination Port Protocol Service Description
vRealize Log Insight appliance NTP server 123 UDP NTPD: Provides NTP time synchronization
Note: The port is open only if you select to use NTP time synchronization.
vRealize Log Insight appliance Mail Server 25 TCP

SMTP: mail service for outbound alerts

vRealize Log Insight appliance Mail Server 465 TCP SMTPS: mail service over SSL for outbound alerts
vRealize Log Insight appliance DNS server 53 TCP, UDP DNS: name resolution service
vRealize Log Insight appliance AD server 389 TCP, UDP Active Directory
vRealize Log Insight appliance AD server 636 TCP Active Directory over SSL
vRealize Log Insight appliance AD server 3268 TCP Active Directory Global Catalog
vRealize Log Insight appliance AD server 3269 TCP Active Directory Global Catalog SSL
vRealize Log Insight appliance AD server 88 TCP, UDP Kerberos
vRealize Log Insight appliance vCenter Server 443 TCP vCenter Server Web Service
vRealize Log Insight appliance vRealize Operations Manager appliance 443 TCP vRealize Operations Web service
vRealize Log Insight appliance Third-party log manager 514 TCP, UDP syslog data
vRealize Log Insight appliance Third-party log manager 9000 CFAPI Outbound Log Insight Ingestion API (CFAPI) traffic configured as a Forwarder destination
vRealize Log Insight appliance Third-party log manager 9543 CFAPI Outbound Log Insight Ingestion API (CFAPI) traffic configured as a Forwarder destination with encryption (SSL/TLS)