Cloud Management Platform Cloud Operations Cross-Cloud Services Log Analytics Vmware vRealize vRealize Suite

Filter and Forward VMware Cloud on AWS events from Log Intelligence to various endpoints

In the blog post, I will be showing the procedure on how to filter and forward VMware Cloud on AWS events from Log Intelligence to various endpoints

Value of Log Forwarding Capability

Log intelligence allows you to forward logs to following supported endpoints. You can forward all VMC logs or use filters to forward specific logs following the procedure mentioned below

  • OnPrem vRealize Log Insight
  • On Prem Syslog Server using TCP
  • On Prem Syslog Server using UDP
  • On Prem Splunk
  • On Prem Default – Any authenticated HTTPs endpoint
  • Splunk Cloud Endpoint
  • Any Authenticated Cloud endpoint over HTTPs

For e.g., If you want to forward NSX-T firewall logs from VMC environment to a syslog server in your environment which aggregates all the networking logs you can easily do that from log intelligence

Pre-requisites

  • Any OnPrem endpoint will need Cloud Proxy deployed in your environment which Log Intelligence communicates with to forwarding logs. For details step by step instruction please refer this blog
  • To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded

Procedure

This section describes the procedure to configure log forwarding

Authenticate to Log Intelligence and Expand Log Management and click Log Forwarding which will open Log Forwarding Page which lists the existing forwarding rules and allows you to configure a new one as well

Click New Configuration

Provide the following configuration based on Endpoint Type.

In our scenario, we will be forwarding VMC NSX-T firewall logs to OnPrem Syslog Server using TCP/UDP

Name Description
Name A display name for this log forwarding configuration
Destination Where will be the endpoint located. OnPrem or Cloud
Cloud Proxy The Cloud Proxy from which you want to forward messages. Select a Cloud Proxy from the drop-down menu
Endpoint Type Currently, it supports the following endpoints

  • OnPrem vRealize Log Insight
  • On Prem Syslog Server using TCP
  • On Prem Syslog Server using UDP
  • On Prem Splunk
  • On Prem Default – Any authenticated HTTPs endpoint
  • Splunk Cloud Endpoint
  • Any Authenticated Cloud endpoint over HTTPs
Host Hostname or IP of the destination endpoint
Port Port Number of the destination endpoint
Query You can either forward all logs or use a specific filter to forward particular logs

Click the magnifying glass icon to preview the filtered results, which are displayed in the graph and list of events on the Log Forwarding Configurations page

Click Verify. This will validate if their values provided on the log configuration page are correct and ensure endpoint listed is reachable. You should see the following message if everything is correct

You should see the following message on the syslog server

Click Save on log forwarding configuration page

Now you should see your configuration listed

Wait for a couple of mins and you should see Events Posted number to increase

Now you can validate your syslog server and you should see NSX-T firewall logs as well

Similarly, you can select endpoint type as UDP as well in case you have Syslog server listening on UDP instead of TCP

Conclusion

This is how simple it is to filter and forward VMware Cloud on AWS events from Log Intelligence to various endpoints You can forward all or specific events based on your use case to all the supported endpoints

  • OnPrem vRealize Log Insight
  • On Prem Syslog Server using TCP
  • On Prem Syslog Server using UDP
  • On Prem Splunk
  • On Prem Default – Any authenticated HTTPs endpoint
  • Splunk Cloud Endpoint
  • Any Authenticated Cloud endpoint over HTTPs

Getting Started with Log Intelligence

For a free trial, you can click here or reach out to your account team

To learn more about Log Intelligence please visit here