You can configure a vRealize Log Insight server to forward incoming events to a syslog or Ingestion API target.

Use event forwarding to send filtered or tagged events to one or more remote destinations such as vRealize Log Insight or syslog or both. Event forwarding can be used to support existing logging tools such as SIEM and to consolidate logging over different networks such as DMZ or WAN.

Event forwarders can be standalone or clustered, but an event forwarder is a separate instance from the remote destination. Instances configured for event forwarding also store events locally and can be used to query data.

The operators you use to create filters on the Forwarded Events page are different from the filters used on the interactive analytics page. See Using Event Forwarding Filters in Interactive Analytics for more information about using the Run in Interactive Analytics menu item to preview the results of your event filter.

Prerequisites

Verify that you are logged in to the vRealize Log Insight web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.

Verify that the destination can handle the number of events that are forwarded. If the destination cluster is much smaller than the forwarding instance, some events might be dropped.

Procedure

  1. Navigate to the Administration tab.
  2. Under Management, click Event Forwarding.
  3. Click New Destination and provide the following information.
    Option Description
    Name A unique name for the new destination.
    Host The IP address or fully qualified domain name.
    Caution: A forwarding loop is a configuration in which a vRealize Log Insight cluster forwards events to itself, or to another cluster, which then forwards the events back to the original cluster. Such a loop might create an indefinite number of copies of each forwarded event. The vRealize Log Insight Web interface does not permit you to configure an event to be forwarded to itself. But vRealize Log Insight is not able to prevent an indirect forwarding loop, such as vRealize Log Insight cluster A forwarding to cluster B, and B forwarding the same events back to A. When creating forwarding destinations, take care not to create indirect forwarding loops.
    Protocol

    Ingestion API, syslog, or RAW. The default value is Ingestion API (CFAPI).

    When events are forwarded using the Ingestion API, the event's original source is preserved in the source field. When events are forwarded using syslog, the event's original source is lost and the receiver can record the message's source as the vRealize Log Insight forwarder's IP address or hostname. When events are forwarded using RAW, the behavior is similar to syslog, but syslog RFC-compliance is not ensured. RAW forwards an event exactly the way it is received, without a custom syslog header added by vRealize Log Insight. This protocol is useful for third-party destinations, because they expect syslog events in their original form.

    Note:
    The source field might have different values depending on the protocol selected on the Event Forwarder:
    1. For the ingestion API, the source is the initial sender's (the event originator) IP address.
    2. For syslog and RAW, the source is the Event Forwarder's vRealize Log Insight instance IP address. Also, the message text contains _li_source_path which points to the initial sender's IP address.
    Use SSL You can optionally secure the connection with SSL for the ingestion API or syslog. If the SSL certificate provided by the forwarding destination is untrusted, you can accept the certificate when you test or save this configuration.
    Tags You can optionally add tag pairs with predefined values. Tags permit you to more easily query events. You can add multiple comma-separated tags.
    Forward Complementary tags You can select whether to forward complementary tags for syslog.

    Complementary tags are tags added by the cluster itself, such as 'vc_username' or 'vc_vmname.' and can be forwarded with the tags coming directly from sources. Complementary tags are always forwarded when Ingestion API is used.

    Transport Select a transport protocol for syslog. You can select UDP or TCP.
  4. To control which events are forwarded, click Add Filter.
    Select fields and constraints to define the desired events. Only static fields are available for use as filters. If you do not select a filter, all events are forwarded. You can see the results of the filter you are building by clicking Run in Interactive Analytics.
    Operator Description
    Matches Finds strings that match the string and wildcard specification, where * means zero or more characters and ? means zero or any single character. Prefix and postfix globbing is supported.

    For example, *test* matches strings such as test123 or my-test-run.

    does not match Excludes strings that match the string and wildcard specification, where * means zero or more characters and ? means zero or any single character. Prefix and postfix globbing is supported.

    For example, test* excludes test123, but not mytest123. ?test* excludes test123 and xtest123, but not mytest123.

    starts with Finds strings that start with the specified character string.

    For example, test finds test123 or test, but not my-test123.

    does not start with Excludes strings that start with the specified character string.

    For example, test filters out test123, but not my-test123.

  5. (Optional) To modify the following forwarding information, click Show Advanced Settings.
    Option Description
    Port The port to which events are sent on the remote destination. The default value is set based on the protocol. Do not change unless the remote destination listens on a different port.
    Worker Count The number of simultaneous outgoing connections to use. Set a higher worker count for a higher network latency to the forwarded destination and for a greater number of forwarded events per second. The default value is 8.
  6. To verify your configuration, click Test.
  7. If the forwarding destination provides an untrusted SSL certificate, a dialog box appears with the details of the certificate. Click Accept to add the certificate to the truststores of all the nodes in the vRealize Log Insight cluster.
    If you click Cancel, the certificate is not added to the truststores and the connection with the forwarding destination fails. You must accept the certificate for a successful connection.
  8. Click Save.
    If you did not test the configuration and the destination provides an untrusted certificate, follow the instructions in step 7.

What to do next

You can edit or clone an event forwarding destination. If you edit the destination to change an event forwarder name, all statistics are reset.