You can configure VMware Aria Operations for Logs (SaaS) to forward all or a subset of incoming log events to a syslog or HTTP endpoint. The endpoint can be a SaaS endpoint such as Splunk or an on-premise endpoint such as VMware Aria Operations for Logs. You can use log forwarding to support existing logging tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.

For example, you might want to send all logs to the VMware Aria Operations for Logs (SaaS) service and then have the service forward any log events it receives related to security to the endpoint used by your security team. When you configure log forwarding, you specify a filter to select which events are forwarded. You can also forward the SDDC audit logs that are automatically sent to VMware Aria Operations for Logs (SaaS) .

Prerequisites

  • Verify that you are logged in to the VMware Aria Operations for Logs (SaaS) web user interface as an organization owner or administrator.
  • To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded.

Procedure

  1. Click the two arrows icon in the upper-left corner of the screen to expand the main menu.
  2. Navigate to Log Management > Log Forwarding.
  3. Click New Configuration.
  4. Provide the following information:
    Option Description
    Name A unique display name for the log forwarding configuration.
    Destination Select Cloud if the endpoint can be accessed from WAN, else select On Premises.
    Cloud Proxy
    Note: This configuration is required only if the destination is an on-premise endpoint.

    Select a Cloud Proxy that the system uses to forward logs to the destination.

    Important:

    The Cloud Proxy is deprecated. You can continue to use your existing Cloud Proxy configurations, but there will be no new feature updates to the Cloud Proxy.

    Endpoint Type The endpoint to which messages are forwarded, such as:
    Operations for Logs (On-Premises)
    The destination is a VMware Aria Operations for Logs server.
    Splunk
    The destination is a Splunk server or cloud.
    To forward all fields to Splunk, select the Forward all fields check box.
    Note: If you do not select the check box, only these fields are forwarded - log_timestamp, source, host, event, and sddc_id.
    UDP
    The destination is listening on a UDP port.
    Select the format in which the messages are forwarded.
    • JSON - Select this option to forward messages in JSON format. This is the default format.
    • RAW - Select this option to forward messages in RAW format. When logs are forwarded using RAW, the behavior is similar to syslog. RAW forwards a log exactly the way it is received, without a custom syslog header added by VMware Aria Operations for Logs (SaaS).
    TCP
    The destination is listening on a TCP port.
    Select the format in which the messages are forwarded.
    • JSON - Select this option to forward messages in JSON format. This is the default format.
    • RAW - Select this option to forward messages in RAW format. When logs are forwarded using RAW, the behavior is similar to syslog. RAW forwards a log exactly the way it is received, without a custom syslog header added by VMware Aria Operations for Logs (SaaS).
    Default
    Select this option to forward messages to any endpoint that is accessible on the public-facing internet.
    Endpoint URL The URL for the destination endpoint in the relevant format:
    Operations for Logs (On-Premises)
    The URL is in the format https://operations_for_logs-server:9543/api/v1/events/ingest/log-intelligence, where operations_for_logs-server is the host address or host name of the VMware Aria Operations for Logs server.
    Note:

    You must use port 9543 to forward logs to the VMware Aria Operations for Logs instance. Port 443 is not supported.

    Splunk

    The Splunk server or forwarder URL.

    UDP
    The URL is in the format udp://10.197.11.148:514.
    TCP
    The URL is in the format tcp://10.197.11.148:514.
    To secure the connection with the TCP endpoint using SSL, click Use SSL. If the SSL certificate provided by the endpoint is untrusted, you can accept the certificate when you verify your configuration.
    Note: To use SSL, ensure that the TCP endpoint is configured for listening to SSL-encrypted traffic.
    Query

    Filters log messages to forward the logs that contain the text you enter. At least one filter is required.

    To add more filters, click Add Filter. Optionally, click the magnifying glass icon to preview the filtered results.

    Headers (optional) One or more headers with predefined values. The headers contain authorization information for the endpoint and are added to the HTTP request when forwarding logs to the endpoint URL.
    Note: You cannot add headers for TCP and UDP endpoints.
    Tags (optional) A tag name and predefined value. Tags let you query events more easily. You can add multiple comma-separated tags.
  5. To test your configuration, click Verify.
  6. For a TCP endpoint, if you have selected the Use SSL check box and the endpoint has an untrusted SSL certificate, a dialog box appears with the details of the certificate. Click Accept to add the certificate to the truststore and save the configuration. Skip the next step.
    If you click Cancel, the certificate is not added to the truststore and the connection with the endpoint fails. You must accept the certificate to save your configuration.
    Note: You can accept the SSL certificate only if you are an organization owner.
  7. Click Save.