Has anyone set up Log Insight to integrate with a third party SIEM like QRadar so that your events from VMware go first to Log Insight then get forwarded to your SIEM? Any caveats with this?
http://kb.vmware.com/kb/2053382
Yup, it works
Ok great - thanks. Can I choose to retain the source Ip when I forward, so that my third party SIEM will recognize the original source of the event?
Not today -- LI behaves like any other syslog agent and sends its IP for source. Can you open a feature request on https://loginsight.vmware.com?
OK thanks - is there anything in the documentation or anywhere online that states that the source IP of the syslog event source is NOT retained?
http://kb.vmware.com/kb/2053382