Configure the Splunk Add-on for VMware to collect log data from vCenter Server systems using the VMware API
The Splunk Add-on for VMware uses the VMware API to collect data about your virtual environment. VMware add-on collects Inventory data at default interval defined in
Splunk_TA_vmware\default\ta_vmware_collection.conf configuration file. Since it is not needed to collect full inventory data at every interval, the add-on is designed to collect full inventory data in collectionVersion 1 and then it will collect only change sets (e.g. changes in VM inventory or host inventory) in incremental collectionVersions. After 4 hours or collectionVersion 20, whichever is earlier, add-on will collect full inventory data again and that cycle would be continued. The Splunk Add-on for VMware communicates with vCenter Server using network ports and Splunk management ports.
|Scheduler (on the search head)||vCenter server||443||The scheduler uses port 443 to connect to the vCenter Server to verify that the vCenter Server credentials are valid. It also uses this port to discover the number of managed ESXi hosts in the environment.|
|Splunk Add-on for VMware||Data Collection Node||8089||The Splunk App for VMware connects to the Data Collection Node (DCN) on the default Splunk management port, TCP 8089.|
|Scheduler||Data Collection Node||8008||When the DCN and Splunk App for VMware have established a connection, the scheduler, which typically runs on the search head, allocates data collection jobs to the DCN on the TCP port 8008. TCP port 8008 is the gateway port. In your environment, if another service uses port 8008, you can configure a different port for communication between the data collection node and the gateway. Data collection nodes do not have to communicate on the same port.
[default] gateway_port = 8008
To change the ports for each data collection node individually, set the port in each stanza.
|Data Collection Node (DCN)||vCenter Server||443||The DCN communicates with vCenter Server API on port 443 to execute the data collection tasks allocated to it.|
|Data Collection Node||Splunk indexer||9997||The Data Collection Node uses port 9997 to forward data it has retrieved from the vCenter Server using the API.|
After the Splunk Add-on for VMware establishes a connection with a vCenter Server, the DCN uses port 443 to obtain the credentials for vCenter Server. The DCN uses port 443 to determine the kind of data to collect, such as performance, inventory, or hierarchy data. Splunk App for VMware sends information to the data collection nodes using port 8008 about the information they need to collect from a specific vCenter Server system. The DCN retrieves the data from vCenter Server and forwards the data to the Splunk indexer on port 9997.
Control certificate validation for your data collection nodes
Control certificate validation your data collection nodes with the
ta_vmware_config_ssl.conf file. Use it to enable and disable certificate validation for your DCN. By default, certificate validation is disabled.
- On your scheduler, navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_vmware/defaultand copy the
- Navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_vmwareand create a
- Navigate to
$SPLUNK_HOME/etc/apps/Splunk_TA_vmware/localand paste the
- Open the
[general] validate_ssl_certificate = true
- Save your changes.
- Restart your Splunk platform instance.
For more information, see the About securing inter-Splunk communication section of the Securing Splunk Enterprise documentation.
Configure VMX Logs to Syslog
Configure your Splunk platform infrastructure to collect vmware.log files from your VM infrastructure. This configuration provides your Splunk platform deployment with a source of data that lets you audit, troubleshoot and rebuild your VMX configuration files.
- Navigate to your virtual machine vmx file.
vmx.log.destination = "syslog-and-disk"to your virtual machine vmx file.
- Name your vm log entry. (Example:
vmx.log.syslogID = vmx[splunkdata])
- Check the log entry in /var/log/syslog of your ESXi host to verify the syslog is being forwarded.
Configure the Splunk Add-on for VMware to collect log data from ESXi hosts
Use the Collection Configuration page to add configurations
This documentation applies to the following versions of Splunk® Supported Add-ons: released