Understanding vRealize Log Insight Event Forwarding Filters Behavior

vRealize Log Insight enables generic event forwarding via the syslog protocol.  The Event Forwarding filters, at least to me, were initially not the most intuitive.  So, here’s what I’ve learned using vRLI 4.5.

Understanding Implicit Conditional Operators

First, notice the gap between *Key1* and *Key2*.  That indicates they are two separate criteria (values) that will satisfy the filter rule.  Filter rules evaluate true when ANY value for a specific filter rule meets the criteria.  So, there is an implicit OR between all the values for a particular rule.

Second, filter rules are additive.  There is an implicit AND between all the filter rules assigned to an Event Forwarding Destination.

“Not Match” Adds Complexity

Consider these two equivalent scenarios:

  • Scenario 1
    • text does not match *Key1*
    • text does not match *Key4*

There is an implicit AND between the two filters.  So messages will not be forwarded if they contain either Key1 or Key4.  Think of it as !(match *Key1*) AND !(match *Key4*).

  • Scenario 2
    • text does not match *Key1* *Key4*

Think of this as not (match *Key1* OR match *Key4*).  If the message contains Key1 or Key4, it will match the parenthesized condition, then the negation is applied.  Net result, a message containing any of the “not match” values.

Testing

I recorded actual test results, by crafting sample syslog messages using a generator pointed to Log Insight, and configuring an Event Forwarder using the following filters.  I observed the results with a generic syslog-ng instance configured to receive the forwarded events from Log Insight.

Because of its importance, I denoted where multiple values to a filter are separated by pressing [Enter] after typing each value.  If you just separate the values by a space, you will end up with a single value like “Key1 Key2” instead of “Key1”, “Key2”.  This is easy (for me) to mistype, so here’s one last screenshot to remind you:

Showing multiple separate values that have an implicit OR (*Key1* OR *Key2*).

Finally, here are my test results for reference:

Filters Results Analysis
hostname matches host1
hostname matches host2
no msgs forwarded filter1 AND filter2
hostname matches host1[Enter] host2[Enter] all msgs forwarded value1 OR value2
text matches Key1 no msgs forwarded entire text must match "Key1"!
text matches *Key1* msgs with Key1 forwarded
text matches *Key1*[Enter] *Key4*[Enter] all messages forwarded value1 OR value2
text matches *Key1*
text does not match *Key4*
msgs with Key1 and not Key4 (match value1) AND !(match value2)

Hope this helps.

Leave a Reply

Your email address will not be published. Required fields are marked *