By default, the vRealize Log Insight virtual appliance uses the preset values for small configurations.

Standalone Deployment

You can change the appliance settings to meet the needs of the environment for which you intend to collect logs during deployment.

vRealize Log Insight provides preset VM (virtual machine) sizes that you can select from to meet the ingestion requirements of your environment. These presets are certified size combinations of compute and disk resources, though you can add extra resources afterward. A small configuration consumes the fewest resources while remaining supported. An extra small configuration is suitable only for demos.
Preset Size Log Ingest Rate Virtual CPUs Memory IOPS Syslog Connections (Active TCP Connections) Events per Second
Extra Small 6 GB/day 2 4 GB 75 20 400
Small 30 GB/day 4 8 GB 500 100 2000
Medium 75 GB/day 8 16 GB 1000 250 5000
Large 225 GB/day 16 32 GB 1500 750 15,000
You can use a syslog aggregator to increase the number of syslog connections that send events to vRealize Log Insight. However, the maximum number of events per second is fixed and does not depend on the use of a syslog aggregator. A vRealize Log Insight instance cannot be used as a syslog aggregator.
The sizing is based on the following assumptions.
  • Each virtual CPU is at least 2 GHz.
  • Each ESXi host sends up to 10 messages per second with an average message size of 170 bytes/message, which is roughly equivalent to 150 MB/day/host.
Note: For large installations, you must upgrade the virtual hardware version of the vRealize Log Insight virtual machine. vRealize Log Insight supports virtual hardware version 7 or later. Virtual hardware version 7 can support up to 8 virtual CPUs. Therefore, if you plan to provision 16 virtual CPUs, you must upgrade to virtual hardware version 8 or later for ESXi 5.x. You use the vSphere Client to upgrade the virtual hardware. If you want to upgrade virtual hardware to the latest version, read and understand the information in the VMware knowledge base article Upgrading a virtual machine to the latest hardware version (1010675) .

Cluster Deployment

Use a medium configuration, or larger, for the master and worker nodes in a vRealize Log Insight cluster. The number of events per second increases linearly with the number of nodes. For example, in a cluster of 3-12 nodes (clusters must have a minimum of three nodes), the Internet in a 12-node cluster is 180,000 events per second (EPS), or 2.7 TB of events per day.

Reducing the Memory Size

To use the Extra Small version of the appliance when your laptop does not have enough memory, you can reduce the memory size to 2 GB.

vRealize Log Insight Sizing Calculator

A calculator to help you determine sizing for vRealize Log Insight and network and storage use is available. This calculator is intended for guidance only. Many environment inputs are site-specific, so the calculator necessarily uses estimations in some areas. See https://www.vmware.com/go/loginsight/calculator.

Note: The overall performance of vRealize Log Insight might degrade if forwarders are defined against the text field with complex or multiple conditions involving regular expressions, for example " text=~"Deleting the machine"". In such cases, specifically when the overall load on the cluster is high, performance might be delayed and disk blocks might be accumulated on each node of the cluster.