You can configure a vRealize Log Insight server to forward incoming events to a syslog or Ingestion API target.

About this task

Use event forwarding to send filtered or tagged events to one or more remote destinations such as vRealize Log Insight or syslog or both. Event forwarding can be used to support existing logging tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.

Note:

Event forwarders can be standalone or clustered, but an event forwarder is a separate instance from the remote destination. Instances configured for event forwarding also store events locally and can be used to query data.

Prerequisites

Verify that you are logged in to the vRealize Log Insight web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.

Verify that the destination can handle the number of events that are forwarded. If the destination cluster is much smaller than the forwarding instance, some events might be dropped.

Procedure

  1. Click the configuration drop-down menu icon and select Administration.
  2. Under Management, click Event Forwarding.
  3. Click New Destination and provide the following information.

    Option

    Description

    Name

    A unique name for the new destination.

    Host

    The IP address or fully qualified domain name.

    Caution:

    A forwarding loop is a configuration in which a vRealize Log Insight cluster forwards events to itself, or to another cluster, which then forwards the events back to the original cluster. Such a loop may create an indefinite number of copies of each forwarded event. The vRealize Log Insight Web interface does not permit you to configure an event to be forwarded to itself. But vRealize Log Insight is not able to prevent an indirect forwarding loop, such as vRealize Log Insight cluster A forwarding to cluster B, and B forwarding the same events back to A. When creating forwarding destinations, take care not to create indirect forwarding loops.

    Protocol

    Ingestion API or syslog. The default value is Ingestion API (CFAPI).

    When events are forwarded using the Ingestion API, the event's original source is preserved in the source field. When events are forwarded using syslog, the event's original source is lost and the receiver may record the message's source as the vRealize Log Insight forwarder's IP address or hostname.

    Note:

    The source field may have different values depending on the protocol selected on the Event Forwarder:

    1. For the ingestion API, the source is the initial sender's (the event originator) IP address.

    2. For syslog, the source is the Event Forwarder's vRealize Log Insight instance IP address. Also, the syslog message text contains _li_source_path which points to the initial sender's IP address.

    Use SSL

    You can optionally secure the connection with SSL for the ingestion API. The remote server's trust root is validated and Event Forwarding with SSL does not work with self-signed certificates installed on destination servers by default. If untrusted, import the remote server's trusted root certificate to the forwarder's keystore. See Configure vRealize Log Insight Event Forwarding with SSL.

    Tags

    You can optionally add tag pairs with predefined values. Tags permit you to more easily query events. You can add multiple comma-separated tags.

    Forward Complementary tags

    You can choose whether to forward complementary tags for syslog.

    Complementary tags are tags added by the cluster itself, such as 'vc_username' or 'vc_vmname.' and can be forwarded with the tags coming directly from sources. Complementary tags are always forwarded when Ingestion API is used.

    Transport

    Select a transport protocol for syslog. You can choose UDP or TCP.

  4. (Optional) : To control which events are forwarded, click Add Filter.

    Select fields and constraints to define the desired events. Only static fields are available for use as filters. If you do not select a filter, all events are forwarded. You can see the results of the filter you are building by clicking Run in Interactive Analytics.

    Option

    Description

    matches

    Finds strings that match the specified string and wildcard specification.

    For example, test* matches strings such as test123 or test-run, but not my-test-run. test matches test, but not test123.

    does not match

    Excludes strings that match that specified string and wildcard specification.

    For example, test* filters out test123, but does not exclude mytest123.

    starts with

    Finds strings that start with the specified character string.

    For example, test finds test123 or test, but not my-test123.

    does not start with

    Excludes strings that start with the specified character string.

    For example, test filters out test123, but not my-test123.

  5. (Optional) : Click Show Advanced Settings to modify the following forwarding information.

    Option

    Description

    Port

    The port to which events are sent on the remote destination. The default value is set based on the protocol specified. Do not change unless the remote destination listens on a different port.

    Disk Cache

    The amount of local disk space to reserve for buffering events that you configure to be forwarded. Buffering is used when the remote destination is unavailable or unable to process the events being sent to it. If the local buffer becomes full and the remote destination is still unavailable, then the newest local events are dropped and not forwarded to the remote destination even when the remote destination is back online. The default value is 200 MB.

    Worker Count

    The number of simultaneous outgoing connections to use. Set a higher worker count for a higher network latency to the forwarded destination and for a higher number of forwarded events per second. The default value is 8.

  6. To verify your configuration, click Test.
  7. Click Save.

What to do next