vRealize Log Insight supports event forwarding to other clusters and standalone instances. While forwarding events, the vRealize Log Insight instance still ingests, stores and archives events locally.

You forward syslog data in vRealize Log Insight by using the Ingestion API or a native syslog implementation.

The vRealize Log Insight Ingestion API uses TCP communication. In contrast to syslog, the forwarding module supports the following features for the Ingestion API.

Forwarding to other vRealize Log Insight instances.

Both structured and unstructured data, that is, multi-line messages.

Metadata in the form of tags.

Client-side compression.

Configurable disk-backed queue to save events until the server acknowledges the ingestion.

Protocol for Event Forwarding Across Regions Design Decision

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-024

Forward log event to the other region by using the Ingestion API.

Using the forwarding protocol supports structured and unstructured data provides client-side compression, and event throttling to be passed from one vRealize Log Insight cluster to the other. Forwarding ensures that during a disaster recovery situation the administrator has access to all logs from the two regions although one region is offline.

You must configure each region to forward log data to the other. The configuration requires administrative overhead to prevent recursion of logging between regions via inclusion and exclusion tagging.

Log forwarding adds more load on each region. You must consider log forwarding in the sizing calculations for the vRealize Log Insight cluster in each region.

You must configure identical size on both source and destination clusters.

SDDC-OP-LOG-025

Configure log forwarding to use SSL.

Ensures that the log forward operations from one region to the other are secure.

Event forwarding with SSL does not work with the self-signed certificate that is installed on the destination servers by default. You must set up a custom CA-signed SSL certificate.

If additional vRealize Log Insight nodes are added to a region's cluster, the SSL certificate used by the other region's vRealize Log Insight cluster must be injected into that nodes Java Keystore before SSL can be used.

SDDC-OP-LOG-026

Configure disk cache for event forwarding to 2,000 MB (2 GB).

Ensures that log forwarding between regions has a buffer for approximately 2 hours if a cross-region connectivity outage occurs. The disk cache size is calculated at a base rate of 150 MB per day per syslog source with 105 syslog sources.

If the event forwarder of vRealize Log Insight is restarted during the cross-region communication outage, messages that reside in the non-persistent cache will be cleared.

If a cross-region communication outage exceeds 2 hours, the oldest local events are dropped and not forwarded to the remote destination even after the cross-region connection is restored.