Hello,
I'm trying to set up log forwarding from vRLI to SIEM solution, which I thought will be a simple matter but so far seems otherwise.
Found an official blog post https://blogs.vmware.com/management/2020/01/forwarding-vrealize-log-insight-events-to-a-siem-solutio..., but it doesn't work according to it - the biggest problem is the filter interpretation which for Log forwarding works in a different way than for Interactive Analytics. I have been able to make work what is in the blog post (by adding asterisks around words / couple of words), but I'm not sure if it is the right / efficient way of doing it.
Also I'm interested if anyone is using it and how are you selecting events that matter - is there some kind of general identification for all "audit" information or do you just select the information based on specific text / event. I get that "events that matter" may vary based on your needs, but if I would like to select for example every standard action a user can make with a VM - should I use common words in text or are there for example event codes for that.
Thanks.