Splunk® Supported Add-ons

Splunk Add-on for VMware

Configure the Splunk Add-on for VMware to collect log data from vCenter Server systems using the VMware API

The Splunk Add-on for VMware uses the VMware API to collect data about your virtual environment. VMware add-on collects Inventory data at default interval defined in Splunk_TA_vmware\default\ta_vmware_collection.conf configuration file. Since it is not needed to collect full inventory data at every interval, the add-on is designed to collect full inventory data in collectionVersion 1 and then it will collect only change sets (e.g. changes in VM inventory or host inventory) in incremental collectionVersions. After 4 hours or collectionVersion 20, whichever is earlier, add-on will collect full inventory data again and that cycle would be continued. The Splunk Add-on for VMware communicates with vCenter Server using network ports and Splunk management ports.

Sender Receiver Port number Description
Scheduler (on the search head) vCenter server 443 The scheduler uses port 443 to connect to the vCenter Server to verify that the vCenter Server credentials are valid. It also uses this port to discover the number of managed ESXi hosts in the environment.
Splunk Add-on for VMware Data Collection Node 8089 The Splunk App for VMware connects to the Data Collection Node (DCN) on the default Splunk management port, TCP 8089.
Scheduler Data Collection Node 8008 When the DCN and Splunk App for VMware have established a connection, the scheduler, which typically runs on the search head, allocates data collection jobs to the DCN on the TCP port 8008. TCP port 8008 is the gateway port. In your environment, if another service uses port 8008, you can configure a different port for communication between the data collection node and the gateway. Data collection nodes do not have to communicate on the same port.
gateway_port = 8008

To change the ports for each data collection node individually, set the port in each stanza.

Data Collection Node (DCN) vCenter Server 443 The DCN communicates with vCenter Server API on port 443 to execute the data collection tasks allocated to it.
Data Collection Node Splunk indexer 9997 The Data Collection Node uses port 9997 to forward data it has retrieved from the vCenter Server using the API.

After the Splunk Add-on for VMware establishes a connection with a vCenter Server, the DCN uses port 443 to obtain the credentials for vCenter Server. The DCN uses port 443 to determine the kind of data to collect, such as performance, inventory, or hierarchy data. Splunk App for VMware sends information to the data collection nodes using port 8008 about the information they need to collect from a specific vCenter Server system. The DCN retrieves the data from vCenter Server and forwards the data to the Splunk indexer on port 9997.

Control certificate validation for your data collection nodes

Control certificate validation your data collection nodes with the ta_vmware_config_ssl.conf file. Use it to enable and disable certificate validation for your DCN. By default, certificate validation is disabled.

  1. On your scheduler, navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/default and copy the ta_vmware_config_ssl.conf file.
  2. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_vmware and create a local folder.
  3. Navigate to $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local and paste the ta_vmware_config_ssl.conf file.
  4. Open the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local/ta_vmware_config_ssl.conf and set validate_ssl_certificate option to true.
    validate_ssl_certificate = true
  5. Save your changes.
  6. Restart your Splunk platform instance.

For more information, see the About securing inter-Splunk communication section of the Securing Splunk Enterprise documentation.

Configure VMX Logs to Syslog

Configure your Splunk platform infrastructure to collect vmware.log files from your VM infrastructure. This configuration provides your Splunk platform deployment with a source of data that lets you audit, troubleshoot and rebuild your VMX configuration files.

  1. Navigate to your virtual machine vmx file.
  2. Add vmx.log.destination = "syslog-and-disk" to your virtual machine vmx file.
  3. Name your vm log entry. (Example:vmx.log.syslogID = vmx[splunkdata])
  4. Check the log entry in /var/log/syslog of your ESXi host to verify the syslog is being forwarded.
Last modified on 13 September, 2023
Configure the Splunk Add-on for VMware to collect log data from ESXi hosts   Use the Collection Configuration page to add configurations

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters