You can configure VMware Log Intelligence to forward incoming events to vRealize Log Insight, Splunk, or another destination.

For example, you might want to send all logs to VMware Log Intelligence and then have Log Intelligence forward any log events it receives related to security to the endpoint used by your security team. When you configure log forwarding, you specify a filter to select which events are forwarded. You can also forward the SDDC audit logs that are automatically sent to VMware Log Intelligence .


To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded.


  1. Click the two arrows icon in the upper-left hand corner of the screen to expand the main menu.
  2. Navigate to Log Management > Log Forwarding.
  3. Click New Configuration.
  4. Provide the following information:
    Name Description
    Name A display name for this log forwarding configuration.
    Cloud Proxy The Cloud Proxy from which you want to forward messages. Select a Cloud Proxy from the drop-down menu.
    Endpoint Type The endpoint to which messages are forwarded. Select one of the following items on the drop-down menu.
    • Default
    • vRealize Log Insight
    • Splunk
    Endpoint URL The URL for the destination endpoint.
    Tags (optional) A tag name and predefined value. Tags permit you to more easily query events. You can add multiple comma-separated tags.
    Headers (optional) Authorization information for the destination end-point.
    Query Filters messages to send only those that contain the text you specify. At least one filter is required. Click the pen icon to display the query form. Multiple filters are supported.
  5. Click the magnifying glass icon to preview the filtered results, which are displayed in the graph and list of events on the Log Forwarding Configurations page.
  6. Click Save.


The following example illustrates a log forwarding configuration for audit logs, filtering and directing them to an instance of vRealize Log Insight.