You can configure a vRealize Log Insight server to forward incoming events to a syslog or Ingestion API target.
Use event forwarding to send filtered or tagged events to one or more remote destinations such as vRealize Log Insight or syslog or both. Event forwarding can be used to support existing logging tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.
Event forwarders can be standalone or clustered, but an event forwarder is a separate instance from the remote destination. Instances configured for event forwarding also store events locally and can be used to query data.
The filters on the Forwarded Events page are different from those for interactive analytics. See Using Event Forwarding Filters in Interactive Analytics for more information about using the Run in Interactive Analytics menu item to preview the results of your event filter.
Verify that you are logged in to the vRealize Log Insight web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.
Verify that the destination can handle the number of events that are forwarded. If the destination cluster is much smaller than the forwarding instance, some events might be dropped.
- Click the configuration drop-down menu icon and select Administration.
- Under Management, click Event Forwarding.
- Click New Destination and provide the following information.
Option Description Name A unique name for the new destination. Host The IP address or fully qualified domain name.Caution: A forwarding loop is a configuration in which a vRealize Log Insight cluster forwards events to itself, or to another cluster, which then forwards the events back to the original cluster. Such a loop might create an indefinite number of copies of each forwarded event. The vRealize Log Insight Web interface does not permit you to configure an event to be forwarded to itself. But vRealize Log Insight is not able to prevent an indirect forwarding loop, such as vRealize Log Insight cluster A forwarding to cluster B, and B forwarding the same events back to A. When creating forwarding destinations, take care not to create indirect forwarding loops. Protocol
Ingestion API or syslog. The default value is Ingestion API (CFAPI).
When events are forwarded using the Ingestion API, the event's original source is preserved in the source field. When events are forwarded using syslog, the event's original source is lost and the receiver can record the message's source as the vRealize Log Insight forwarder's IP address or hostname.Note:The source field might have different values depending on the protocol selected on the Event Forwarder:
- For the ingestion API, the source is the initial sender's (the event originator) IP address.
- For syslog, the source is the Event Forwarder's vRealize Log Insight instance IP address. Also, the syslog message text contains _li_source_path which points to the initial sender's IP address.
Use SSL You can optionally secure the connection with SSL for the ingestion API. The remote server's trust root is validated and Event Forwarding with SSL does not work with self-signed certificates installed on destination servers by default. If untrusted, import the remote server's trusted root certificate to the forwarder's keystore. See Configure vRealize Log Insight Event Forwarding with SSL. Tags You can optionally add tag pairs with predefined values. Tags permit you to more easily query events. You can add multiple comma-separated tags. Forward Complementary tags You can select whether to forward complementary tags for syslog.
Complementary tags are tags added by the cluster itself, such as 'vc_username' or 'vc_vmname.' and can be forwarded with the tags coming directly from sources. Complementary tags are always forwarded when Ingestion API is used.
Transport Select a transport protocol for syslog. You can select UDP or TCP.
- (Optional) To control which events are forwarded, click Add Filter.
Select fields and constraints to define the desired events. Only static fields are available for use as filters. If you do not select a filter, all events are forwarded. You can see the results of the filter you are building by clicking Run in Interactive Analytics.
Operator Description Matches Finds strings that match the specified string and wildcard specification, where * means zero or more characters and ? means zero or any single character. Prefix and postfix globbing is supported.
For example, *test* matches strings such as test123 or my-test-run.
does not match Excludes strings that match the specified string and wildcard specification, where * means zero or more characters and ? means zero or any single character. Prefix and postfix globbing is supported.
For example, test* filters out test123, but does not exclude mytest123. %test* does not filter out test123, but does exclude xtest123
starts with Finds strings that start with the specified character string.
For example, test finds test123 or test, but not my-test123.
does not start with Excludes strings that start with the specified character string.
For example, test filters out test123, but not my-test123.
- (Optional) To modify the following forwarding information, click Show Advanced Settings.
Option Description Port The port to which events are sent on the remote destination. The default value is set based on the protocol. Do not change unless the remote destination listens on a different port. Disk Cache The amount of local disk space to reserve for buffering events that you configure to be forwarded. Buffering is used when the remote destination is unavailable or unable to process the events being sent to it. If the local buffer becomes full and the remote destination is still unavailable, then the newest local events are dropped and not forwarded to the remote destination even when the remote destination is back online. The default value is 200 MB. Worker Count The number of simultaneous outgoing connections to use. Set a higher worker count for a higher network latency to the forwarded destination and for a greater number of forwarded events per second. The default value is 8.
- To verify your configuration, click Test.
- Click Save.
What to do next
- Configure vRealize Log Insight Event Forwarding with SSL.
- You can edit or clone an event forwarding destination. If you edit the destination to change an event forwarder name, all statistics are reset.