VMware Identity Manager (vIDM) is not forwarding internal application logs (e.g., workspace.log) to VMware Aria Operations for Logs.

The expected log entries are present and can be verified directly on the vIDM appliance via SSH.

Syslog configuration on vIDM pointing to the Aria Operations for Logs server is working as expected.

However, real-time application logs generated by vIDM services are either not being captured or not ingested into Aria Operations for Logs.

VMware Identity Manager 3.3.7

Aria Operations for Logs 8.18.x

Corrupted or stale rsyslog tracking data in the /var/rsyslog/imfilestate/ directory prevents the rsyslog service from reading new log entries.

To restore log forwarding, the rsyslog state files must be cleared to force the service to rebuild its tracking bookmarks:

1. Please take snapshots of the VMware Identity Manager cluster by following this KB: How to take a Snapshot of VMware Identity Manager
   
   
2. Log in to the vIDM appliance as root via SSH.
   
   
3. Stop the rsyslog service: systemctl stop rsyslog.service
   
   
4. Remove the corrupted state files: rm -rf /var/rsyslog/imfilestate/*
   
   
5. Restart the rsyslog service to resume log tracking: systemctl start rsyslog.service
   
   
6. Verify that logs are getting ingested in the Aria Operations for Logs console.