You can configure VMware Aria Operations for Logs (SaaS) to forward all or a subset of incoming log events to a syslog or HTTP endpoint. The endpoint can be a SaaS endpoint such as Splunk or an on-premise endpoint such as VMware Aria Operations for Logs. You can use log forwarding to support existing logging tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.
For example, you might want to send all logs to the VMware Aria Operations for Logs (SaaS) service and then have the service forward any log events it receives related to security to the endpoint used by your security team. When you configure log forwarding, you specify a filter to select which events are forwarded. You can also forward the SDDC audit logs that are automatically sent to VMware Aria Operations for Logs (SaaS) .
Prerequisites
- Verify that you are logged in to the VMware Aria Operations for Logs (SaaS) web user interface as an organization owner or administrator.
- To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded.
Procedure
- Click the two arrows icon in the upper-left corner of the screen to expand the main menu.
- Navigate to .
- Click New Configuration.
- Provide the following information:
Option |
Description |
Name |
A unique display name for the log forwarding configuration. |
Destination |
Select Cloud if the endpoint can be accessed from WAN, else select On Premises. |
Cloud Proxy |
Note: This configuration is required only if the destination is an on-premise endpoint.
Select a Cloud Proxy that the system uses to forward logs to the destination.
Important:
The Cloud Proxy is deprecated. You can continue to use your existing Cloud Proxy configurations, but there will be no new feature updates to the Cloud Proxy.
|
Endpoint Type |
The endpoint to which messages are forwarded, such as:
-
Operations for Logs (On-Premises)
-
The destination is a
VMware Aria Operations for Logs server.
-
Splunk
-
The destination is a
Splunk server or cloud.
To forward all fields to
Splunk, select the
Forward all fields check box.
Note: If you do not select the check box, only these fields are forwarded -
log_timestamp,
source,
host,
event, and
sddc_id.
-
UDP
-
The destination is listening on a UDP port.
Select the format in which the messages are forwarded.
- JSON - Select this option to forward messages in JSON format. This is the default format.
- RAW - Select this option to forward messages in RAW format. When logs are forwarded using RAW, the behavior is similar to syslog. RAW forwards a log exactly the way it is received, without a custom syslog header added by VMware Aria Operations for Logs (SaaS).
-
TCP
-
The destination is listening on a TCP port.
Select the format in which the messages are forwarded.
- JSON - Select this option to forward messages in JSON format. This is the default format.
- RAW - Select this option to forward messages in RAW format. When logs are forwarded using RAW, the behavior is similar to syslog. RAW forwards a log exactly the way it is received, without a custom syslog header added by VMware Aria Operations for Logs (SaaS).
-
Default
-
Select this option to forward messages to any endpoint that is accessible on the public-facing internet.
|
Endpoint URL |
The URL for the destination endpoint in the relevant format:
-
Operations for Logs (On-Premises)
-
The URL is in the format
https://operations_for_logs-server:9543/api/v1/events/ingest/log-intelligence, where
operations_for_logs-server is the host address or host name of the
VMware Aria Operations for Logs server.
-
Note:
You must use port 9543 to forward logs to the VMware Aria Operations for Logs instance. Port 443 is not supported.
-
Splunk
-
The Splunk server or forwarder URL.
-
UDP
-
The URL is in the format
udp://10.197.11.148:514.
-
TCP
-
The URL is in the format
tcp://10.197.11.148:514.
To secure the connection with the TCP endpoint using SSL, click
Use SSL. If the SSL certificate provided by the endpoint is untrusted, you can accept the certificate when you verify your configuration.
Note: To use SSL, ensure that the TCP endpoint is configured for listening to SSL-encrypted traffic.
|
Query |
Filters log messages to forward the logs that contain the text you enter. At least one filter is required. To add more filters, click Add Filter. Optionally, click the magnifying glass icon to preview the filtered results. |
Headers (optional) |
One or more headers with predefined values. The headers contain authorization information for the endpoint and are added to the HTTP request when forwarding logs to the endpoint URL.
Note: You cannot add headers for TCP and UDP endpoints.
|
Tags (optional) |
A tag name and predefined value. Tags let you query events more easily. You can add multiple comma-separated tags. |
- To test your configuration, click Verify.
- For a TCP endpoint, if you have selected the Use SSL check box and the endpoint has an untrusted SSL certificate, a dialog box appears with the details of the certificate. Click Accept to add the certificate to the truststore and save the configuration. Skip the next step.
If you click
Cancel, the certificate is not added to the
truststore and the connection with the endpoint fails. You must accept the certificate to save your configuration.
Note: You can accept the SSL certificate only if you are an organization owner.
- Click Save.