You can configure a vRealize Log Insight server to forward incoming events to a syslog or Ingestion API target in addition to storing and indexing events.

Verify that you are logged in to the vRealize Log Insight Web user interface as a user with the Edit Admin permission. The URL format is https://log-insight-host, where log-insight-host is the IP address or host name of the vRealize Log Insight virtual appliance.

Verify that the destination can handle the number of events that are forwarded. If the destination cluster is much smaller than the forwarding instance, some events might be dropped.

1

Click the configuration drop-down menu icon and select Administration.

2

Under Management, click Event Forwarding.

3

Click New Destination and provide the required information .

Option

Description

Name

A unique name for the new destination.

Host

The IP address or fully qualified domain name.

Caution

A forwarding loop is a configuration in which a vRealize Log Insight cluster forwards events to itself, or to another cluster, which then forwards the events back to the original cluster. Such a loop may create an indefinite number of copies of each forwarded event. The vRealize Log Insight UI does not permit configuring events to be forwarded to itself. But vRealize Log Insight is not able to prevent an indirect forwarding loop, such as vRealize Log Insight cluster A forwarding to cluster B, and B forwarding the same events back to A. When creating forwarding destinations, take care to not create indirect forwarding loops.

Protocol

Ingestion API or syslog. The default value is Ingestion API. When events are forwarded using Ingestion API, the event's original source is preserved in the source field. When events are forwarded using syslog, the event's original source is lost and the receiver may record the message's source as the vRealize Log Insight forwarder's IP address or hostname.

Use SSL: When events are forwarded using Ingestion API, optionally secure the connection with SSL. The remote server's trust root is validated and Event Forwarding with SSL does not work with self-signed certificates installed on destination servers by default. If untrusted, import the remote server's trusted root certificate to the forwarder's keystore. See Configure vRealize Log Insight Event Forwarding with SSL.

Note

The source field may have different values depending on the protocol selected on the Event Forwarder:

a

For cfapi, the source is the initial sender's (the event originator) IP address.

b

For syslog, the source is the Event Forwarder's vRealize Log Insight instance IP address. Additionally, the syslog message text contains _li_source_path which points to the initial sender's IP address.

4

(Optional) Add tags. Select the Include Static Fields checkbox for static fields like vmvcname or vmusername, which will be included into resultant syslog messages.

Tags let you add fields with predefined values to events for easier querying. You can add multiple comma-separated tags.

5

(Optional) To control which events are forwarded, click Add Filter.

Select fields and constraints to define the desired events. If you do not select a filter, all events are forwarded. For more information, see the Searching and Filtering Log Events topic in the vRealize Log Insight User Guide.

6

(Optional) Click Show Advanced Settings to modify the following forwarding options.

Option

Description

Port

The port to which events are sent on the remote destination. The default value is set based on the protocol specified. Do not change unless the remote destination listens on a different port.

Disk Cache

The amount of local disk space to reserve for buffering events that you configure to be forwarded. Buffering is used when the remote destination is unavailable or unable to process the events being sent to it. If the local buffer becomes full and the remote destination is still unavailable, then the oldest local events are dropped and not forwarded to the remote destination even when the remote destination is back online. The default value is 200 MB.

Worker Count

The number of simultaneous outgoing connections to use. Set a higher worker count for higher network latency to the forwarded destination and for higher number of forwarded events per second. The default value is 2.

7

To verify your configuration, click Test.

8

Click Save.

Configure vRealize Log Insight Event Forwarding with SSL.

You can edit or clone an event forwarding destination. If you edit the destination to change an event forwarder name, all statistics are reset.