Logs Deployment & Use

Phase: Post-Deployment (Day 2+)

This guide covers deploying VCF Operations for Logs (log analytics) and configuring core VCF components to forward logs into it.

2. Prerequisites

443/tcp to access the Logs UI/API
Syslog ingestion (choose one):
- 514/udp (easy, but lossy)
- 514/tcp (recommended for lab reliability)
- 6514/tcp (syslog over TLS, if you enable/configure it)

Deploy the Logs appliance from SDDC Manager (the exact menu label varies slightly by release, but it is under the VCF/Operations lifecycle area).

Make sure Fleet Management has downloaded intall binaries for 9.0.2 - Operations —> Fleet Management —> Lifecycle —> Binary Management
From Lifecycle —> Overview Add operations-logs
New Install

![CleanShot 2026-02-15 at 20.02.25@2x](/img/guides/vcf-9-lab/CleanShot 2026-02-15 at 20.02.25@2x.png)
Generate a new certificate for the deployment - a wildcard works *.pgnet.io

![CleanShot 2026-02-15 at 20.15.15@2x](/img/guides/vcf-9-lab/CleanShot 2026-02-15 at 20.15.15@2x.png)

Deploying logs appliance on second cluster.

Config:

Component	Hostname	IP Address	Details
Master Node	`logvm.pgnet.io`	`10.200.1.25`	VM Name: `pg-vm-vcflog`
Cluster VIP	`log.pgnet.io`	`10.200.1.19`	Type: `vrli-cluster-1`
Node Size	`small`	—	Version: `9.0.2.0`
Admin Email	`admin@pgnet.io`	—	SSO Enabled: `false`

Open https://log.pgnet.io and confirm the UI loads.
Confirm you can authenticate with the local/admin account created during deployment.

If you’re using the VCF embedded Identity Broker for the Operations suite, enable SSO for Logs the same way you did for Operations/Automation.

Follow the identity broker setup in Part 4.
In the VCF Operations suite SSO settings, ensure VCF Operations for Logs is enabled for the same SSO domain.

Start by onboarding the highest-signal sources first: vCenter, NSX, SDDC Manager, and ESXi.

Configure VCSA remote syslog forwarding to log.pgnet.io.

In the VCSA management UI (https://vc.pgnet.io:5480) configure Syslog to forward to the Logs appliance.
Example destination (TCP syslog): tcp://log.pgnet.io:514

Configure each host to forward syslog to log.pgnet.io.

Configure NSX to forward syslog events to log.pgnet.io.

In NSX Manager: configure a Syslog server and point it at the Logs appliance.
Prefer TCP (or TLS) over UDP for NSX audit + system events.

Configure SDDC Manager to forward logs/events to log.pgnet.io where supported.

Open https://log.pgnet.io.
Confirm ingestion by searching for a known hostname (examples): vc.pgnet.io, nsx.pgnet.io, sddc.pgnet.io, pgesxa1.pgnet.io.
Create a saved query for common triage:
- auth failures (SSO/LDAPS)
- certificate/TLS errors
- NSX edge/BGP events

In the Logs UI, confirm you see events from vc.pgnet.io within a few minutes of enabling forwarding.
If ESXi forwarding is enabled, search for pgesxa1.pgnet.io and validate new events arrive as you generate activity (e.g., login/logout).
If nothing arrives, validate the source can reach log.pgnet.io on the chosen syslog port.

No logs arriving: confirm network reachability from sources to log.pgnet.io and verify each component’s syslog setting.
TLS/cert errors: ensure time sync is correct and that the relevant trust chain is installed.
SSO problems: validate the identity broker config in Part 4 and confirm group mappings.