Configure the Splunk Add-on for vCenter logs to collect vCenter log data
vCenter logs contain information about access to the vCenter environment, audit information (who assigned permissions, added/edited/removed VMs), and health information about vCenter's processes.
For vCSA servers, vCSA's native syslog forwarding is used to pass this information to your Splunk platform. You don't need to install anything on the vCSA servers to collect this data. Windows-based vCenter environments require a Splunk platform forwarder and the splunk_TA_vcenter package.
Prepare to collect data
Set up a vCenter Server user account
Obtain VMware vCenter server account credentials for each vCenter server system. These credentials allow the Splunk Add-on for VMware Metrics and the Splunk Add-on for VMware read-only API access to the appropriate metrics on each vCenter server system in the environment. The Splunk App for VMware uses the credentials when the data connection node (DCN) polls vCenter server systems for performance, hierarchy, inventory, task, and event data. These credentials are required for DCN configuration. You can use an existing vCenter server account credentials, or create a new account for the Splunk App for VMware to access the vCenter server data.
If you encounter issues setting the correct permissions for vCenter server accounts, go to the User account permissions in the Splunk Add-on for VMware Metrics manual.
You have to have a user account to authenticate with vCenter. Your role determines access privileges. If you use ActiveDirectory for authentication on your Windows OS (vCenter) machines, go to Create users in ActiveDirectory in this topic.
If you add a new vCenter server user as administrator, the user automatically assumes an Administrator role in vSphere.
Create a local user on your Windows OS (vCenter) machine
- Log in to the Windows OS with an administrator account.
- Select Start > Control Panel.
- On the User Accounts screen, select Add or remove user accounts.
- In the Manage Accounts window, select Create a new account.
- Enter a name for the account, for example, splunksvc.
- In vSphere, select Standard user.
- Select Create Account.
- On the Manage Accounts screen, select the new user.
- On the Change an Account screen, select Create a password` and assign the user a password.
The new user account displays as a standard user and the account shows that it is password protected. Verify that you have a local Windows user compatible with the vSphere permissions system.
Create users in Active Directory
For machines that participate in an Active Directory (AD) domain, create a service account in the given domain using the control panel in Windows Server. Most VMware environments use a single Active Directory domain for authentication. However, if you use multiple AD domains, then create a service account in each domain that your VMware environment uses.
The steps to create a service account within Active Directory depends on your environment. Contact your AD administrator to learn how to do this for your environment.
Create roles on each vCenter server in your environment
- Open the vSphere client and connect to the vCenter server.
- Log in with administrative privileges.
- Select Home in the path bar.
- Under Administration select Roles > Add Role.
- On the Add new Role screen, enter a name for the role, for example, splunkreader.
- Select the appropriate permissions for the role.
Configure DCNs to honor TLS protocols
You might need to set your DCNs to honor TLS protocols when making requests to the vCenter APIs.
- On your DCN, navigate to $SPLUNK_HOME\etc\system\local.
- Open the web.conf file with a text editor. If there is no web.conf file, create the file.
- Add this stanza to your web.conf file.
[settings] sslVersions = tls1.2 cipherSuite = AES256-SHA256
vCenter Log Collection (Windows vCenter and vCSA)
Collect Windows VMware vCenter Server log data
Use the Splunk Add-on for vCenter Logs to collect vCenter server log data. Use a Splunk universal forwarder to forward the log data from your Windows vCenter server to the indexer.
- Install a Splunk forwarder. For instructions, go to Install a Universal Forwarder on Windows.
- Configure the forwarder on your vCenter server systems to send data to your indexers. Configure the forwarder in the outputs.conf file for each forwarder installed on a vCenter server system. Go to Configure forwarding with outputs.conf.
- Change your Splunk password. The default password for the Splunk Enterprise admin user is changeme. Change the password using Splunk Web. Go to Change a password.
- Install the Splunk_TA_vcenter package:
- Download Splunk Add-on for vCenter Logs from Splunkbase and extract its components.
- Copy the Splunk_TA_vcenter package from the extracted components into the apps directory under $SPLUNK_HOME\etc\apps. When installing on a universal forwarder, the path is C:\Program Files\SplunkUniversalForwarder\etc\apps, otherwise it's C:\Program Files\Splunk\etc\apps.
- Install the Splunk_TA_vCenter package in the system where you have installed the Splunk Enterprise forwarder.
- Copy the inputs.conf file from the $SPLUNK_HOME\etc\Splunk_TA_vCenter\default directory
- Paste the inputs.conf file into the $SPLUNK_HOME\etc\Splunk_TA_vCenter\local directory.
- Open the local inputs.conf file.
- Change the log path to the location of the vCenter Server Appliance logs data.
'[monitor://<path to log file>] disabled = 0 index = vmware-vclog [monitor://<path to log file>] blacklist = (.*(gz)$)|(\\drmdump\\.*) disabled = 0 index = vmware-vclog
- (Optional) If you configured Splunk Enterprise as a heavy or light forwarder, and you want to monitor the license file and and tomcat configuration files.
- Copy the $SPLUNK_HOME\etc\Splunk_TA_vCenter\default\props.conf file.
- Paste $SPLUNK_HOME\etc\Splunk_TA_vCenter\default\props.conf into the $SPLUNK_HOME\etc\Splunk_TA_vCenter\local directory.
- Open the local props.conf file.
- Change the log path to that in which the vCenter Server Appliance logs data. Edit these stanzas in the props.conf file:
Windows vCenter server:[source::(?-i)...\\VMware\\vCenterServer\\logs\\cim-diag.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\sms.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\stats.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\vim-tomcat-shared.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\vpxd-\d+.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\vpxd-alert-\d+.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\vpxd-profiler-\d+.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\vws.log(?:.\d+)?] [source::(?-i)...\\VMware\\vCenterServer\\logs\\vpxd.cfg]
Change the licenses path to the vCenter Server Appliance licenses path:
[source::(?-i)...\\VMware\\vCenterServer\\licenses]
Change the tomcat conf path to the vCenter Server Appliance tomcat conf path:
[source::(?-i)...\\VMware\\Infrastructure\\tomcat\\conf]
Change the path to the vCenter Server Appliance path:
[source::...\\Application Data\\VMware\\…] [source::...\\VMware\\Infrastructure\\…]
- Restart Splunk Enterprise. Go to Start and stop Splunk in the Admin Manual.
- In $SPLUNK_HOME\bin run the command
splunk restart
. Alternatively, select Start > Administrative Tools > Services > Splunkd restart in Windows services.
The Splunk Add-on for vCenter Logs collects log data from your Windows vCenter server systems and forwards the data from vCenter Server to your Splunk platform indexers or combined indexer search heads.
Collect VMware vCenter Server Appliance (vCSA) log data
Use the Splunk Add-on for vCenter Logs to collect logs from the VMware vCenter Server Appliance. The Splunk Add-on for VMware stores VMware vCenter Server Appliance logs in /var/log/vmware.
- Export vCenter logs to another system where you have installed Splunk Enterprise.
- Install a Splunk Enterprise forwarder on the same machine to forward the VMware vCenter Linux appliance logs. For more information, go to the Forward VMware vCenter Linux appliance logs to Splunk Enterprise section of this page.
Export vCenter logs to an external system
- Install a Splunk forwarder.
- Download the universal forwarder.
- Install the Splunk universal forwarder. Go to the Install the universal forwarder documentation for installation steps.
- Enable the VMware vCenter Server Appliance to store log files on NFS storage on a system on which you have installed Splunk Enterprise as a heavy forwarder or light forwarder. Go to NFS Storage on the VMware vCenter Server Appliance in the VMware vSphere documentation.
- Install the Splunk_TA_vCenter package on the system where you have installed the Splunk Enterprise forwarder.
- Copy the inputs.conf file from $SPLUNK_HOME\etc\Splunk_TA_vCenter\default.
- Paste the inputs.conf file into the $SPLUNK_HOME\etc\Splunk_TA_vCenter\local directory.
- Open the local inputs.conf file.
- Edit these stanzas in the inputs.conf file to change the log path to the location that stores the vCenter Server Appliance logs data (/var/log/vmware/).
Linux server appliance 7.0/8.0
[monitor:///var/log/vmware/vws] disabled = 0 index = vmware-vclog [monitor:///var/log/vmware/vpxd] blacklist = (.*(gz)$)|(\\drmdump\\.*) disabled = 0 index = vmware-vclog [monitor:///var/log/vmware/perfcharts] disabled = 0 index = vmware-vclog
- (Optional) If you configured Splunk Enterprise as a heavy or light forwarder and you want to monitor the license file and tomcat configuration files.
- Copy the $SPLUNK_HOME\etc\Splunk_TA_vCenter\default/props.conf file.
- Paste in the $SPLUNK_HOME\etc\Splunk_TA_vCenter\local directory.
- Open the local props.conf file.
- Edit these stanzas to change the log path to where the vCenter Server Appliance logs data is stored:
Linux server appliance 6.x, 7.0 & 8.0[source::(?-i).../var/log/vmware/perfcharts/stats.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpxd/vpxd-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpxd/vpxd-alert-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpxd/vpxd-profiler-\d+.log(?:.\d+)?]
- Start Splunk Enterprise.
Forward VMware vCenter Linux appliance logs to Splunk Enterprise
To forward VMware vCenter Linux appliance logs to your Splunk Enterprise indexers or search head, install a Splunk Enterprise forwarder on the VMware vCenter Linux appliance. Access to vCSA shell access has to be enabled.
- Install a Splunk forwarder on the VMware vCenter Server Appliance.
- Install the Splunk_TA_vCenter package on the Splunk platform forwarder.
- Download Splunk Add-on for vCenter Logs from Splunkbase and extract its components.
- Copy the Splunk_TA_vcenter package from the extracted components to $SPLUNK_HOME\etc\apps directory.
- Copy the inputs.conf file from $SPLUNK_HOME\etc\Splunk_TA_vCenter\default.
- Paste the inputs.conf file in the $SPLUNK_HOME\etc\Splunk_TA_vCenter\local directory.
- Open the local inputs.conf file.
- (Optional) If you configured Splunk Enterprise as a heavy forwarder and you want to monitor the license file and and tomcat configuration files, copy the contents of the $SPLUNK_HOME\etc\Splunk_TA_vCenter\default\props.conf file and paste it into the $SPLUNK_HOME\etc\Splunk_TA_vCenter\local directory.
- Start the Splunk universal forwarder.
Collect vCenter Server Appliance logs via syslog
Syslog type | Supported vCSA version | Log types |
---|---|---|
rsyslog | 7.0, 8.0 | vpxd, vpxd-profiler, vpxd-alert |
Rsyslog on vCenter 7.0 & 8.0
Enable syslog forwarding using rsyslog for vCSA 7.0/8.0 logs.
- Open your vCenter deployment, and navigate to the \etc\ directory.
- Open the rsyslog.conf file.
- Replace <IP/HOSTNAME> with the IP address of the hostname of the machine where you want to receive the vCSA logs.
Example:$template vclogtemplate,"%syslogtag% %rawmsg%" $ModLoad imfile $InputFileName /var/log/vmware/vpxd/vpxd.log $InputFileTag vpxd $InputFileStateFile state-vpxd $InputFileSeverity all $InputRunFileMonitor $ModLoad imfile $InputFileName /var/log/vmware/vpxd/vpxd-profiler.log $InputFileTag vpxd-profiler $InputFileStateFile state-vpxd-profiler $InputFileSeverity all $InputRunFileMonitor $ModLoad imfile $InputFileName /var/log/vmware/vpxd/vpxd-alert.log $InputFileTag vpxd-alert $InputFileStateFile state-vpxd-alert $InputFileSeverity all $InputRunFileMonitor $ModLoad imfile $InputFileName /var/log/vmware/vws/watchdog-vws/watchdog-vws-syslog.log $InputFileTag vws $InputFileStateFile state-vws $InputFileSeverity all $InputRunFileMonitor $ModLoad imfile $InputFileName /var/log/vmware/perfcharts/stats.log $InputFileTag stats $InputFileStateFile state-stats $InputFileSeverity all $InputRunFileMonitor *.* @@<IP/HOSTNAME>:1517;vclogtemplate
- After changing the conf file, run the command
service syslog restart
to restart the syslog service for the changes to take effect. - Navigate to Splunk\etc\apps\Splunk_TA_vcenter\ and create a local folder.
- In Splunk\etc\apps\Splunk_TA_vcenter\local, create an inputs.conf file.
- Navigate to Splunk\etc\apps\Splunk_TA_vcenter\default\inputs.conf and copy the below stanza.
#[tcp://1517] #connection_host = dns #index = vmware-vclog #sourcetype = vclog #disabled = 0
- Navigate to Splunk\etc\apps\Splunk_TA_vcenter\local\inputs.conf.
- Paste the copied stanza into the local version of inputs.conf.
- Enable the copied stanza in local/inputs.conf by uncommenting it.
Since TCP port 1514 is used for receiving ESXi logs, the 1517 port is used, by default, for vclogs. Other open ports can be used.
File properties | Description |
---|---|
$InputFileName | Used to monitor specific files. |
$InputFileTag | Used to set the prefix in each event data. Set $InputFileTag so your Splunk platform deployment can recognize sourcetype of different logs. |
$InputFileStateFile | Used to keep track of which parts of the monitored file are already processed. Must be unique. |
$InputFileSeverity | Used to set the type of log the user wants. |
$InputRunFileMonitor | Used to activate the monitoring. |
For more information on configuration details, go to the text file input module page in the Rsyslog documentation.
Install the Splunk Add-on for vCenter Logs | Troubleshoot the Splunk Add-on for vCenter Logs |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!