VVD 4.2 – vRealize Log Insight


Second part in VMware Validated Design for Operations Management is Logging architecture, which is presented by vRealize Log Insight.

vRealize Log Insight provides real-time log management and log analysis with machine learning-based intelligent grouping, high-performance searching, and troubleshooting across physical, virtual, and cloud environments.

vRealize Log Insight collects data from ESXi hosts using the syslog protocol. vRealize Log Insight has the following capabilities:

  • Connects to other VMware products, like vCenter Server, to collect events, tasks, and alarm data.
  • Integrates with vRealize Operations Manager to send notification events and enable launch in context.
  • Functions as a collection and analysis point for any system that is capable of sending syslog data.

vRealize Log Insight is available as a pre-configured virtual appliance in OVF. You deploy the OVF file of the virtual appliance once for each node. After node deployment, you access the product to set up cluster nodes according to their role and log in to configure the installation.

vRLI support different option of deployment, depending on your environment, events collecting and number of solutions monitoring :


There are two methods of deployment an instance of vRealize Log Insight :

  • Standalone node
  • Cluster of one master and at least two worker nodes. You can establish high availability by using the integrated load balancer (ILB).

Architecture of vRealize Log Insight :


vRealize Log Insight clients connect to the ILB Virtual IP (VIP) address, and use the syslog or the Ingestion API via the vRealize Log Insight agent to send logs to vRealize Log Insight. Users and administrators interact with the ingested logs using the user interface or the API.

There are different types of nodes in the architecture of vRLI :

Master Node – is the first required node on cluster. Master node is responsible for all activities, including queries and log ingestion. The master node also handles operations that are related to the lifecycle of a cluster, such as performing upgrades and addition or removal of worker nodes. The master node stores logs locally. If the master node is down, the logs stored on it become unavailable.

Worker Node – it is optional, used for scaling out the cluster in larger environments. Queries and log ingestion activities are processed to all available nodes. You must have at least two worker nodes to form a cluster with the master node. The worker node stores logs locally. If any of the worker nodes is down, the logs on the worker become unavailable.

Integrated Load Balancer (ILB)  – in cluster mode, the ILB is the centralized entry point which ensures that vRealize Log Insight accepts incoming ingestion traffic. Used for high availability. Periodically, the ILB performs a health check to determine whether
re-election is required. If the node that hosts the ILB Virtual IP (VIP) address stops responding, the VIP address is failed over to another node in the cluster via an election process. All queries against data are directed to the ILB.

Node in a vRealize Log Insight environment perform operations like :

  • Analyze logging data that is ingested from the components of a data center
  • Visualize the results in a Web browser, or support results query using API calls

Architecture of a vRLI node :


                              Product/Admin UI and API  – UI server is a Web application that serves as both user and administration interface.

Syslog Ingestion – Responsible for ingesting syslog logging data.

CFAPI Ingestion – Responsible for ingesting logging data over the ingestion API.

Integrated Load Balancer – Responsible for balancing incoming UI and API traffic, and incoming data ingestion traffic.

Configuration Database – Stores configuration information about the vRealize Log Insight nodes and cluster.

Log Repository – Stores logging data that is ingested in vRealize Log Insight. The logging repository is local to each node and not replicated.

vRealize Log Insight support different authentication methods like :

  • Microsoft Active Directory
  • Local Accounts
  • VMware Identity Manager

To add more value and extensibility on vRealize Log Insight cluster, we can install Content Packs. They provide out-of-the-box parsing capabilities for standard logging directories and logging formats, along with dashboards, extracted fields, alert definitions, query lists, and saved queries from the logging data. Check Solution exchange for more information and available content packs.

The best, recommended way is to integrate the vRealize Log Insight with vRealize Operations Manager, to provide data from multiple sources to a central place for monitoring the SDDC, by :

  • Sending notification events to vRealize Operations Manager.
  • Access to the vRealize Log Insight user interface is embedded in the vRealize Operations Manager user interface.
  • vRealize Operations Manager can provide the inventory map of any vSphere object to vRealize Log Insight.

In a multi-region implementation, vRealize Log Insight provides a separate logging infrastructure in each region of the SDDC, by creating cluster in each region. Event forwarding to other vRealize Log Insight deployments across regions in the SDDC.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.