You can configure a vRealize Log Insight server to forward incoming events to a syslog or Ingestion API target in addition to storing and indexing events.
Verify that you are logged in to the vRealize Log Insight Web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
Verify that the destination can handle the number of events that are forwarded. If the destination cluster is much smaller than the forwarding instance, some events might be dropped.
- Click the configuration drop-down menu icon and select Administration.
- Under Management, click Event Forwarding.
- Click New Destination and provide the required information .
A unique name for the new destination.
The IP address or fully qualified domain name.Caution:
A forwarding loop is a configuration in which a vRealize Log Insight cluster forwards events to itself, or to another cluster, which then forwards the events back to the original cluster. Such a loop may create an indefinite number of copies of each forwarded event. The vRealize Log Insight UI does not permit configuring an event to be forwarded to itself. But vRealize Log Insight is not able to prevent an indirect forwarding loop, such as vRealize Log Insight cluster A forwarding to cluster B, and B forwarding the same events back to A. When creating forwarding destinations, take care to not create indirect forwarding loops.
Ingestion API or syslog. The default value is Ingestion API (CFAPI). When events are forwarded using Ingestion API, the event's original source is preserved in the source field. When events are forwarded using syslog, the event's original source is lost and the receiver may record the message's source as the vRealize Log Insight forwarder's IP address or hostname.
Use SSL: When events are forwarded using Ingestion API, optionally secure the connection with SSL. The remote server's trust root is validated and Event Forwarding with SSL does not work with self-signed certificates installed on destination servers by default. If untrusted, import the remote server's trusted root certificate to the forwarder's keystore. See Configure vRealize Log Insight Event Forwarding with SSL.Note:
The source field may have different values depending on the protocol selected on the Event Forwarder:
For cfapi, the source is the initial sender's (the event originator) IP address.
For syslog, the source is the Event Forwarder's vRealize Log Insight instance IP address. Additionally, the syslog message text contains _li_source_path which points to the initial sender's IP address.
- (Optional) Add tags. Select the Include Static Fields option for static fields like vmvcname or vmusername, which are included into resultant syslog messages.
Tags let you add fields with predefined values to events for easier querying. You can add multiple comma-separated tags.
- (Optional) To control which events are forwarded, click Add Filter.
Select fields and constraints to define the desired events. Only static fields are available for use as filters. If you do not select a filter, all events are forwarded.
Finds strings that match the specified string and wildcard specification.
For example, test* matches strings such as test123 or test-run, but not my-test-run. test matches test, but not test123.
does not match
Excludes strings that match that specified string and wildcard specification.
For example, test* filters out test123, but does not exclude mytest123.
Finds strings that start with the specified character string.
For example, test finds test123 or test, but not my-test123.
does not start with
Excludes strings that start with the specified character string.
For example, test filters out test123, but not my-test123.
- (Optional) Click Show Advanced Settings to modify the following forwarding options.
The port to which events are sent on the remote destination. The default value is set based on the protocol specified. Do not change unless the remote destination listens on a different port.
The amount of local disk space to reserve for buffering events that you configure to be forwarded. Buffering is used when the remote destination is unavailable or unable to process the events being sent to it. If the local buffer becomes full and the remote destination is still unavailable, then the oldest local events are dropped and not forwarded to the remote destination even when the remote destination is back online. The default value is 200 MB.
The number of simultaneous outgoing connections to use. Set a higher worker count for higher network latency to the forwarded destination and for higher number of forwarded events per second. The default value is 2.
- To verify your configuration, click Test.
- Click Save.
What to do next
You can edit or clone an event forwarding destination. If you edit the destination to change an event forwarder name, all statistics are reset.