Routing your logs to a Logstash host with the Log Forwarder

Use the Log Forwarder to collect the virtual appliance logs and post them to the Logstash host of an ELK stack.

About this task

You can configure the Log Forwarder to route the virtual appliance and system logs to an external Logstash host. If you are provided with an ELK stack, you can then run analytics on your log files as the next figure shows.

Tip: In ISVG Identity Manager Virtual Appliance v10.0.2.5 and later versions, you can configure multiple Logstash hosts at the same time.

You can configure, reconfigure, or unconfigure the Log Forwarder options from the virtual appliance dashboard. See Table 1.

Table 1. Log Forwarder Configuration

Button	Log Forwarder options
Configure	Host name (FQDN, IPv4, or IPv6) Enter the fully qualified domain name, or the IP address, of the Logstash host. In ISVG IM VA v10.0.2.5 and later versions, you can add multiple Logstash hosts as comma-separated values. Port Specify a valid service port of the Logstash host. If you are configuring multiple hosts, ensure that all the Logstash hosts are configured with the same port number. SSL Flag this check box to apply SSL encryption to the connection with the Logstash host. If you are configuring multiple Logstash hosts, then this SSL configuration applies to all the hosts. If you select this option, after you click Save Configuration, you are also prompted to accept a default SSL certificate for the connection with the Logstash host. If you have configured multiple hosts, you will receive a prompt to accept multiple certificates at a time in a single prompt. Attention: A connection over SSL with Logstash requires the following conditions: Logstash must run with a non-IBM version of Java, version 1.8 or higher. The security protocol of the virtual appliance must be TLSv1.2. Tags Enter optional tags for the log events that are routed to the Logstash host.
Reconfigure	Host name (FQDN, IPv4, or IPv6) Change the fully qualified domain name, or the IP address, of the Logstash host. In ISVG IM VA v10.0.2.5 and later versions, you can add one or more Logstash hosts to an existing configuration as comma-separated values. Port Change the service port of the Logstash host. If you have configured multiple Logstash hosts, ensure that all the Logstash hosts are configured with the same port number. SSL Flag this check box to apply SSL encryption to the connection with the Logstash host. If you select this option, after you click Save Configuration, you are also prompted to accept a default SSL certificate for the connection with the Logstash host. Note that you will receive a prompt to accept the SSL certificates for only the newly added Logstash hosts. Attention: A connection over SSL with Logstash requires the following conditions: Logstash must run with a non-IBM version of Java, version 1.8 or higher. The security protocol of the virtual appliance must be TLSv1.2. Tags Add, change, or remove optional tags for the log events that are routed to the Logstash host.

1. From the top-level menu of the Appliance Dashboard, select Manage System Settings > Maintenance > Log Forwarder Configuration.
   The Log Forwarder (Filebeat) Configuration Details page is displayed.
2. Enter a new configuration or change an existing one.

   Enter a new configuration.

   1. Click Configure.
   2. In the New Log Forwarder Configuration window, specify the requested values. For more information, see Table 1.
   3. Click Save Configuration. A message indicates that the configuration is successfully completed. If you selected the SSL option, you are prompted to accept a default SSL certificate for the connection with the Logstash host.

   Change an existing configuration.

   1. From the Log Forwarder (Filebeat) Configuration Details table, select a record. For example, Log Forwarder Configuration.
   2. Click Reconfigure.
   3. In the Edit Log Forwarder Configuration window, edit the details. For more information, see Table 1.
   4. Click Save Configuration. A message indicates that the Log Forwarder configuration is successfully changed. If your changes require the need of a new SSL certificate, you are prompted to accept a default SSL certificate for the connection with the Logstash host.

3. Optional: To unconfigure a Log Forwarder configuration, follow these steps:
   1. From the Log Forwarder (Filebeat) Configuration Details table, select a record.
      For example, Log Forwarder Configuration.
   2. Click Unconfigure.
   3. Click Yes to confirm.
      A message indicates that the Log Forwarder configuration is successfully removed.