You can create log processing rules to filter logs. Filtering lets you drop irrelevant fields from log messages or entire log messages that are of no use.

Note:
  • Log processing rules are applied only to the logs that are ingested after you create and enable these rules.
  • All the actions that you perform on log processing configurations - create, modify, remove, deactivate, or enable, need about a minute to reflect in the system.

Procedure

  1. Expand the main menu and go to Log Management > Log Processing Rules.
  2. On the Filter Logs tab, click New Configuration.
  3. Provide the following information:
    Option Description
    Name A name for the log filter configuration.
    Fields Select Drop Entire Log or Drop Selected Fields.
    • If you choose Drop Entire Log, the entire logs matching the query criteria are filtered.
    • If you choose Drop Selected Fields, select one or more fields from the drop-down menu, so that only the selected fields are filtered, and not the entire logs.
    Apply to all logs / Apply to specific logs Apply the log filter configuration to all the logs or to specific logs. If you apply the configuration to specific logs, you can add query criteria for single or multiple fields, so that only the logs that match the criteria are filtered.
    Note: You cannot select Apply to all logs if you slected Drop Entire Log, as a combination of these selections drops all the logs that are ingested.
  4. To activate the filtering of logs even before they are ingested into VMware Aria Operations for Logs (SaaS), click the Filter at Source toggle button.
    Important:

    The Cloud Proxy is deprecated. You can continue to use your existing Cloud Proxy configurations, but there will be no new feature updates to the Cloud Proxy.

    Filtering logs before ingestion helps you save ingestion costs. However, activating log filtering at source for too many log filter rules might reduce the performance of your Cloud Proxies. For information about the maximum number of rules for different Cloud Native Collector and Cloud Proxy configurations, see Cloud Native Collector Resource Limits and Cloud Proxy Resource Limits.
    Note:
    • This option is applicable only for the logs sent to VMware Aria Operations for Logs (SaaS) through Cloud Proxy or Cloud Native Collector, and not for logs sent through FluentD or other agents.
    • While using this option, make sure you select fields that are known to the source. For example, if your source is ESXi, add filters on fields that are specific to the ESXi server. For example, appname and hostname. The same fields might not be applicable on another source such as the VMware NSX Manager.
    • You cannot use Regex and Glob patterns for filtering at the source level.
    • This option is activated by default for new configurations. For existing log filter configurations, this option is deactivated.
  5. Click Save.

What to do next

On the Filter Logs tab, you can:
  • Modify or remove the configuration. Click the three dots icon to the left of the configuration and select Edit or Delete.
  • Enable or deactivate the configuration. Click the toggle to the left of the configuration. The toggle is green when the configuration is enabled and gray when it is deactivated.