This design scenario features a redundant NOC architecture. For legal compliance reasons, the provider has a requirement for log messages to be sent to and be stored at two different geographical locations. The data center is located at the same site at the primary NOC (London), where the out-of-band management infrastructure, including vRealize Log Insight and vRealize Operations Manager is located. The second NOC is located in Paris where an additional vRealize Log Insight cluster has been provisioned.

The data center houses a single syslog aggregator to forward logs to the remote secondary NOC in Paris. This requires that logs that transverse a public network be secured using SSL.

The service provider has 1350 source devices logging messages and requires two large vRealize Log Insight cluster nodes to meet the ingestion requirements. To allow for a single host failure without causing ingest pipeline congestion on the remaining instances, three nodes will need to be configured to meet the provider’s requirement for syslog application high availability.

Some devices, such as VMware ESXi 4.x, support only a single syslog target. Depending on the provider’s requirements, this might create a new challenge for the design, because syslog messages are dropped if the single syslog target becomes unavailable. One solution to this problem is to utilize a highly available load balancer pair configured with a VIP between two or more syslog servers. This way, if one syslog server is unavailable, the other syslog server can still ingest and process the events.

In this design, each of the two NOCs employs an external load balancer to distribute log messages evenly across the cluster nodes.