vRealize Log Insight supports event forwarding to other clusters and standalone instances. Use log forwarding between VMware Cloud Foundation instances to have access to all logs if a disaster occurs in a VMware Cloud Foundation instance.

You forward syslog data in vRealize Log Insight by using the Ingestion API or a native syslog implementation. While forwarding events, the vRealize Log Insight instance still ingests, stores, and archives events locally.

The vRealize Log Insight Ingestion API uses TCP communication. In contrast to syslog, the forwarding module supports the following features for the Ingestion API:

  • Forwarding to other vRealize Log Insight instances

  • Support for both structured and unstructured data, that is, multi-line messages

  • Metadata in the form of tags

  • Client-side compression

Table 1. Design Decisions on Event Forwarding Across vRealize Log Insight Instances for Multiple VMware Cloud Foundation Instances

Decision ID

Design Decision

Design Justification

Design Implication

ILA-VRLI-CFG-026

In an environment with multiple VMware Cloud Foundation instances, forward log events to the other instance by using the Ingestion API.

Supports the following operations:

  • Structured and unstructured data for client-side compression

  • Event throttling from one vRealize Log Insight cluster to another.

In the event of a cross-instance outage, the administrator has access to all logs from the two VMware Cloud Foundation instances although one of the instances is offline.

  • You must configure each vRealize Log Insight cluster to forward log data to the cluster in the other VMware Cloud Foundation instance. The configuration introduces administrative overhead to prevent recursion of logging between instances using inclusion and exclusion tagging.

  • Log forwarding adds load to each instance. You must consider log forwarding in the sizing calculations for the vRealize Log Insight cluster in each instance.

  • You must configure identical size on both source and destination clusters.

ILA-VRLI-CFG-027

In an environment with multiple VMware Cloud Foundation instances, configure log forwarding to use SSL on port 9543.

Ensures that the log forward operations between instances are secure.

  • You must set up a custom CA- signed SSL certificate.

    Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default.

  • If you add vRealize Log Insight nodes to a cluster, the SSL certificate used by the vRealize Log Insight cluster in the other VMware Cloud Foundation instance must be installed in the Java keystore of all nodes before SSL can be used.