You can deploy vRealize Log Insight with a single node, single cluster, or cluster with forwarders.
Installation Through vRealize Suite Lifecycle Manager
The vRealize Suite Lifecycle Manager automates installation, configuration, upgrade, patch, configuration management, drift remediation, and health for Suites products. As an alternative to installation with vRealize Log Insight, you can install vRealize Log Insight through the vRealize Suite Lifecycle Manager. You must be using vRealize Suite Lifecycle Manager 1.2 or later and vRealize Log Insight 4.5.1 or later. See vRealize Suite Lifecycle Manager documentation for more information.
A basic vRealize Log Insight configuration includes a single node. Log sources can be applications, OS logs, virtual machine logs, hosts, the vCenter Server, virtual or physical switches and routers, storage hardware, and so on. Log streams are transported to the vRealize Log Insight node using syslog (UDP, TCP, TCP+SSL) or CFAPI (the vRealize Log Insight native ingestion protocol over HTTP or HTTPS), either directly by an application, syslog concentrator, or the vRealize Log Insight agent installed on the source.
As a best practice for single-node deployments to use the vRealize Log Insight Integrated Load Balancer (ILB) and to send queries and ingestion traffic to the ILB. This does not incur overhead and simplifies configuration if you want to add nodes to create a cluster for your deployment in the future.
As a best practice, do not use single nodes for production environments.
Production environments generally require the use of clusters. Clusters must meet the following requirements:
- Nodes in clusters are all be of the same size and in the same data center.
- The ILB used with clusters requires that nodes be in the same L2 network.
- vRealize Log Insight virtual machines must be excluded from VMware NSX Distributed Firewall Protection.
This is because virtual IPs for clusters use a Linux Virtual Server in Direct Server Return Mode (LVS-DR) for load balancing. Direct Server Return is more efficient than routing all response traffic through a single cluster member. However, it also resembles spoofed traffic, which NSX Distributed Firewall blocks.
A vRealize Log Insight single cluster configuration can include from three to 12 nodes and uses the ILB. A cluster requires a minimum of healthy three nodes to operate correctly.
Production environments require that nodes be at least of medium size. If you anticipate working with a large number of concurrent queries, including alerts, consider using large-sized nodes. For information about sizing, see Sizing the vRealize Log Insight Virtual Appliance.
Although the minimum number of nodes in a vRealize Log Insight cluster is three, if there is failure of the nodes, a cluster with fewer than three healthy nodes will not be fully functional. Also, the number of healthy nodes in cluster must be greater than half of the total number of cluster nodes. For example, if you have a six-node cluster and three of the nodes become unavailable, the cluster is not fully functional until you remove the non-functional nodes from the cluster. Removal and reintroduction of a cluster node is not supported.
Clusters with Forwarders
A vRealize Log Insight cluster with forwarders configuration includes main indexing, storage, and a query cluster of three to 12 nodes using the ILB. A single log message is present in only one location within the main cluster, as for the single cluster.
The design is extended through the addition of multiple forwarder clusters at remote sites or clusters. Each forwarder cluster is configured to forward all its log messages to the main cluster and users connect to the main cluster, taking advantage of CFAPI for compression and resilience on the forwarding path. Forwarder clusters configured as top-of-rack can be configured with a larger local retention.
Cross-Forwarding for Redundancy
This vRealize Log Insight deployment scenario includes a cluster with forwarder that is extended and mirrored. Two main clusters are used for indexing, storage, and query. One main cluster is in each data center. Each is front-ended with a pair of dedicated forwarder clusters. All log sources from all top-of-rack aggregations concentrate at the forwarder clusters. You can independently query the same logs on both retention clusters.
vRealize Log Insight Integrated Load Balancer
To properly balance traffic across nodes in a cluster and to minimize administrative overhead, use the Integrated Load Balancer (ILB) for all deployments. This ensures that incoming ingestion traffic is accepted even if some vRealize Log Insight nodes are unavailable.