In the blog post, I will be showing the procedure on how to filter and forward VMware Cloud on AWS events from Log Intelligence to various endpoints
Value of Log Forwarding Capability
Log intelligence allows you to forward logs to following supported endpoints. You can forward all VMC logs or use filters to forward specific logs following the procedure mentioned below
- OnPrem vRealize Log Insight
- On Prem Syslog Server using TCP
- On Prem Syslog Server using UDP
- On Prem Splunk
- On Prem Default – Any authenticated HTTPs endpoint
- Splunk Cloud Endpoint
- Any Authenticated Cloud endpoint over HTTPs
For e.g., If you want to forward NSX-T firewall logs from VMC environment to a syslog server in your environment which aggregates all the networking logs you can easily do that from log intelligence
Pre-requisites
- Any OnPrem endpoint will need Cloud Proxy deployed in your environment which Log Intelligence communicates with to forwarding logs. For details step by step instruction please refer this blog
- To ensure that no events are dropped, verify that the destination can handle the number of events that are forwarded
Procedure
This section describes the procedure to configure log forwarding
Authenticate to Log Intelligence and Expand Log Management and click Log Forwarding which will open Log Forwarding Page which lists the existing forwarding rules and allows you to configure a new one as well
Click New Configuration
Provide the following configuration based on Endpoint Type.
In our scenario, we will be forwarding VMC NSX-T firewall logs to OnPrem Syslog Server using TCP/UDP
| Name | Description |
| Name | A display name for this log forwarding configuration |
| Destination | Where will be the endpoint located. OnPrem or Cloud |
| Cloud Proxy | The Cloud Proxy from which you want to forward messages. Select a Cloud Proxy from the drop-down menu |
| Endpoint Type | Currently, it supports the following endpoints
|
| Host | Hostname or IP of the destination endpoint |
| Port | Port Number of the destination endpoint |
| Query | You can either forward all logs or use a specific filter to forward particular logs |
Click the magnifying glass icon to preview the filtered results, which are displayed in the graph and list of events on the Log Forwarding Configurations page
Click Verify. This will validate if their values provided on the log configuration page are correct and ensure endpoint listed is reachable. You should see the following message if everything is correct
You should see the following message on the syslog server
Click Save on log forwarding configuration page
Now you should see your configuration listed
Wait for a couple of mins and you should see Events Posted number to increase
Now you can validate your syslog server and you should see NSX-T firewall logs as well
Similarly, you can select endpoint type as UDP as well in case you have Syslog server listening on UDP instead of TCP
Conclusion
This is how simple it is to filter and forward VMware Cloud on AWS events from Log Intelligence to various endpoints You can forward all or specific events based on your use case to all the supported endpoints
- OnPrem vRealize Log Insight
- On Prem Syslog Server using TCP
- On Prem Syslog Server using UDP
- On Prem Splunk
- On Prem Default – Any authenticated HTTPs endpoint
- Splunk Cloud Endpoint
- Any Authenticated Cloud endpoint over HTTPs
Getting Started with Log Intelligence
For a free trial, you can click here or reach out to your account team
To learn more about Log Intelligence please visit here
