Log forwarding from VMware Aria Operations for Logs to Splunk using the Ingestion API protocol fails when attempting to preserve the source IP of log events.
search cancel

Log forwarding from VMware Aria Operations for Logs to Splunk using the Ingestion API protocol fails when attempting to preserve the source IP of log events.

book

Article ID: 393123

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Validating the test connection using the Ingestion API protocol in Aria Operations for Logs for forwarding logs to Splunk takes too long and eventually fails in Aria Operations for Logs UI > Log Management > Log Forwarding.

  • Syslog and RAW protocols work as expected and test notifications are successfully sent to Splunk when using Syslog and RAW protocols.

  • /storage/var/loginsight/runtime.log shows error Pending queue is full which tells about dropping events.
[2025-03-19 09:43:21.086+0000] ["DaemonCommands-thread-197368"/##.##.##.##  INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Stopping forwarder for target 'Splunk'.]
javax.management.InstanceAlreadyExistsException: com.vmware.loginsight.ingestion.forwarding:type=BaseForwarder,name=Splunk
[2025-03-19 09:43:21.202+0000] ["DaemonCommands-thread-197368"/##.##.##.##  INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Starting forwarder for target 'Splunk'.]
[2025-03-19 09:43:31.541+0000] ["ImportingThread-4"/##.##.##.##  WARN] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Dropped 31 events for target Splunk Test, reason: Pending queue is full. [32645 suppressed]]
[2025-03-19 09:43:49.102+0000] ["DaemonCommands-thread-197403"/##.##.##.##  INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Stopping forwarder for target 'Splunk Test'.]
[2025-03-20 02:54:55.242+0000] ["ScheduledPeriodicSyncConfig-thread-1"/##.##.##.## INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Stopping forwarder for target 'Splunk'.]
javax.management.InstanceAlreadyExistsException: com.vmware.loginsight.ingestion.forwarding:type=BaseForwarder,name=Splunk
[2025-03-20 02:54:55.343+0000] ["ScheduledPeriodicSyncConfig-thread-1"/##.##.##.##  INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Starting forwarder for target 'Splunk'.]
[2025-03-21 02:39:48.543+0000] ["DaemonCommands-thread-199962"/##.##.##.##  INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Stopping forwarder for target 'Splunk'.]
javax.management.InstanceAlreadyExistsException: com.vmware.loginsight.ingestion.forwarding:type=BaseForwarder,name=Splunk
[2025-03-21 02:39:48.645+0000] ["DaemonCommands-thread-199962"/##.##.##.##  INFO] [com.vmware.loginsight.ingestion.forwarding.BaseForwarder] [Starting forwarder for target 'Splunk'.]                        
[2025-03-21 02:39:54.842+0000] 

Environment

Aria Operations for Logs 8.x

Cause

Using the Ingestion API protocol, events are forwarded in a CFAPI format, which may not be fully supported or correctly parsed by Splunk.

 

 

Resolution

Currently, there is no resolution available for forwarding logs from Aria Operations for Logs to Splunk using the Ingestion API protocol.

  1. The Ingestion API protocol is not supported for log forwarding to Splunk.

  2. Instead, Syslog and RAW protocols can be used for forwarding logs. However, please note that these methods do not preserve the original source of the logs.

Additional Information

Please find the documentation mentioned below for more information.

Add a VMware Aria Operations for Logs Log Forwarding Destination

Powered by Wolken Software