You can configure the Log Intelligence service to forward incoming events to vRealize Log Insight, Splunk, or another destination.
For example, you might want to send all logs to VMware Log Intelligence and then have Log Intelligence forward any log events it receives related to security to the endpoint used by your security team. When you configure log forwarding, you specify a filter to select which events are forwarded. You can also forward the SDDC audit logs that are automatically sent to VMware Log Intelligence .
To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded.
- Click the Manage menu on the main menu on the left of the screen.
- Click Log Forwarding to open the Log Forwarding page.
- Click New Configuration.
- Provide the following information:
A display name for this log forwarding configuration.
The Cloud Proxy from which you want to forward messages. Select a Cloud Proxy from the drop-down menu.
The endpoint to which messages are forwarded. Select one of the following items on the drop-down menu.
vRealize Log Insight
The URL for the destination endpoint.
A tag name and predefined value. Tags permit you to more easily query events. You can add multiple comma-separated tags.
Authorization information for the destination end-point.
Filters messages to send only those that contain the text you specify. At least one filter is required. Click the pen icon to display the query form. Multiple filters are supported.
- Click the magnifying glass icon to preview the filtered results, which are displayed in the graph and list of events on the Log Forwarding Configurations page.
- Click Save.
The following example illustrates a log forwarding configuration for audit logs, filtering and directing them to an instance of vRealize Log Insight.