You can configure vRealize Log Insight Cloud to forward all or a subset of incoming log events to a syslog or HTTP endpoint. The endpoint can be a SaaS endpoint such as Splunk or an on-premise endpoint such as vRealize Log Insight. You can use log forwarding to support existing logging tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.

For example, you might want to send all logs to the vRealize Log Insight Cloud service and then have the service forward any log events it receives related to security to the endpoint used by your security team. When you configure log forwarding, you specify a filter to select which events are forwarded. You can also forward the SDDC audit logs that are automatically sent to vRealize Log Insight Cloud .

Prerequisites

  • Verify that you are logged in to the vRealize Log Insight Cloud web user interface as an administrator.

  • To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded.

Procedure

  1. Click the two arrows icon in the upper-left corner of the screen to expand the main menu.
  2. Navigate to Log Management > Log Forwarding.
  3. Click New Configuration.
  4. Provide the following information:
    Option Description
    Name A unique display name for the log forwarding configuration.
    Destination Select Cloud if the endpoint can be accessed from WAN, else select On Premise.
    Cloud Proxy
    Note: This configuration is required only if the destination is an on-premise endpoint.

    Select a Cloud Proxy that the system uses to forward logs to the destination.

    Endpoint Type The endpoint to which messages are forwarded, such as:
    vRealize Log Insight
    The destination is a vRealize Log Insight server.
    Splunk
    The destination is a Splunk server or cloud.
    UDP
    The destination is listening on a UDP port. Messages are forwarded in JSON format.
    TCP
    The destination is listening on a TCP port. Messages are forwarded in JSON format.
    Default
    All other scenarios.
    Endpoint URL The URL for the destination endpoint in the relevant format:
    vRealize Log Insight
    The URL is in the format log-insight-server/api/v1/events/ingest/log-intelligence, where log-insight-server is the host address or host name of the vRealize Log Insight server.
    Splunk

    The Splunk server or forwarder URL.

    UDP
    The URL is in the format udp://10.197.11.148:514.
    TCP
    The URL is in the format tcp://10.197.11.148:514.
    Query

    Filters log messages to forward the logs that contain the text you enter. At least one filter is required.

    To add more filters, click Add Filter. Optionally, click the magnifying glass icon to preview the filtered results.

    Headers (optional) One or more headers with predefined values. The headers contain authorization information for the endpoint and are added to the HTTP request when forwarding logs to the endpoint URL.
    Note: You cannot add headers for TCP and UDP endpoints.
    Tags (optional) A tag name and predefined value. Tags let you query events more easily. You can add multiple comma-separated tags.
  5. To test your configuration, click Verify.
  6. Click Save.