vRealize Log Insight supports event forwarding to other clusters and standalone instances. While forwarding events, the vRealize Log Insight instance still ingests, stores, and archives events locally.

You forward syslog data in vRealize Log Insight by using the Ingestion API or a native syslog implementation.

The vRealize Log Insight Ingestion API uses TCP communication. In contrast to syslog, the forwarding module supports the following features for the Ingestion API:

  • Forwarding to other vRealize Log Insight instances

  • Both structured and unstructured data, that is, multi-line messages

  • Metadata in the form of tags

  • Client-side compression

  • Configurable disk-backed queue to save events until the server acknowledges the ingestion

Table 1. Design Decisions about Event Forwarding Across Regions in vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-032

Forward log event to the other region by using the Ingestion API.

Using the forwarding protocol supports the following operations:

  • Structured and unstructured data for client-side compression

  • Event throttling from one vRealize Log Insight cluster to the other.

Forwarding ensures that during a disaster recovery situation the administrator has access to all logs from the two regions although one region is offline.

  • You must configure each region to forward log data to the other. The configuration requires administrative overhead to prevent recursion of logging between regions using inclusion and exclusion tagging.

  • Log forwarding adds more load on each region. You must consider log forwarding in the sizing calculations for the vRealize Log Insight cluster in each region.

  • You must configure identical size on both source and destination clusters.

SDDC-OP-LOG-033

Configure log forwarding to use SSL.

Ensures that the log forward operations from one region to the other are secure.

  • You must set up a custom CA-signed SSL certificate.

    Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default.

  • If you add more vRealize Log Insight nodes to a region's cluster, the SSL certificate used by the vRealize Log Insight cluster in the other region must be installed in that the Java keystore of the nodes before SSL can be used.

SDDC-OP-LOG-034

Configure disk cache for event forwarding to 2,000 MB (2 GB).

Ensures that log forwarding between regions has a buffer for approximately 2 hours if a cross-region connectivity outage occurs. The disk cache size is calculated at a base rate of 150 MB per day per syslog source with 110 syslog sources.

  • If the event forwarder of vRealize Log Insight is restarted during the cross-region communication outage, messages that reside in the non-persistent cache will be cleared.

  • If a cross-region communication outage exceeds 2 hours, the newest local events are dropped and not forwarded to the remote destination even after the cross-region connection is restored.