Log Insight Reference Architectures Part 1/4

The topic of reference architectures keeps coming up with Log Insight so I thought I would cover it over a series of blog posts. In this post, I will start with the basic concepts.



Log Insight support the following components today:

  • Server: A server used for ingestion and query at a minimum though could be used for selective event forwarding
  • Forwarder: A server used for ingestion and event forwarding though typically not query
  • Agent: A way to send events on particular clients to a server, forwarder or third-party syslog destination



In the case of a server or forwarder you could either have a standalone instance or a clustered instance. A clustered instance requires a load balancer and Log Insight offers an integrated load balancer.



Of course you need to be able to get data into Log Insight as well as data out of Log Insight. The supported options today are listed below.

  • Ingestion: Syslog = TCP/514, TCP/1514, UDP/514, Ingestion API (CFAPI) = TCP/9000, TCP/9543
  • Query: Web = 80/443



In this post, I discussed the Log Insight components, deployments and input/output supported. Next, I will cover the evolution of deployment options and high availability.

© 2015, Steve Flanders. All rights reserved.

Leave a Reply