Initial use-case: Our team supports the Operating System, while the Application Team supports their application. The Application Team already has their own Log Insight cluster setup to collect their application logs with the LI Agent. Because of this, we are unable to use the LI Agent to collect the Operating System logs. Ideally we would like to be able to send OS logs to our LI, and application logs to their LI.
Forwarding logs from one cluster to another is really not a good solution at all since they don't want OS logs cluttering up their application logs, and vise versa. In addition, there could be security concerns forwarding logs since one or both of the data sets may have sensitive information.
Other use-cases: Forward logs to Log Insight and security events to a SIEM.