Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Access permissions and credentials

To install Splunk for VMware, you must have access to all of the system components in your environment:

  • vCenter machines and ESX/i hosts.
  • Splunk forwarders, indexers, and search heads.
  • Networks on which the resources reside.
  • Splunk for VMware Solution components.

You must also have user credentials that give you the required levels of permissions to access these components.
Having these credentials enables you to:

  • Install software.
  • Modify configuration files.
  • Access the systems on which the virtual machines reside.

so that you can successfully install Splunk For VMware.


Component Permissions
vCenter Server and the Splunk Add-on for vCenter To install a Splunk forwarder on vCenter Server you must have MS-Windows install permissions on the Windows box. You need these permissions to access the Windows machine and to install software on the machine. Use these permissions to install the Splunk Add-on for vCenter.
The Forwarder Appliance Virtual Machine (FA VM) The FA VM has its own default set of user accounts and permissions that are provided by default as part of the install and you must have permissions to deploy the FA VM. See "About the FA VM" in this manual for the default credentials.
Splunk App for VMware Use the admin user credentials you use to run Splunk to install the App on the Splunk indexer / Search head. You must have Admin install permissions in Splunk to install the Splunk App for VMware (either directly in the file system or via the web browser).

For more information about the permissions Splunk needs to run on Windows, see "Choose the user Splunk should run as" in the Splunk Installation Manual. There are no special requirements for installing the Splunk for VMware solution.

Why create service accounts

The FA VM gathers data directly from ESX/i hosts and vCenter machines over the network using the VMware Perl SDK. This happens via an HTTPS connection to a Web services API presented by each machine. To access these secure channels, the FA VM must have login credentials for the service accounts created for each VC and ESX/i host monitored by the solution.

Before installing Splunk for VMware, you must create the service accounts with the minimal permissions set that the Splunk for VMware solution needs.

About service accounts

VMware does not keep user credential information stored in its back-end database. The authentication service is provided by the underlying operating system. As vCenter runs on Windows, authentication is provided through the Windows operating system. For ESX/i hosts, authentication is provided by the internal Linux OS kernel on which the hypervisor is based. The procedure for creating service accounts on vCenter machines and ESX/i hosts differs due to the underlying differences in the operating systems.

VMware uses the underlying operating systems authentication mechanism as it is more flexible, more secure, and can be more easily integrated with other AAA or identity and access management tools. This is especially useful in large-scale environments where identity management tools are critical.

Recommendations

  • We recommend that you create service accounts with a common name (e.g. splunksvc).
  • Both vCenter and ESX/i host machines can be configured to join an ActiveDirectory domain and leverage the enterprise's existing authentication infrastructure. Creating a new service account and making it available to all of your machines is significantly easier. For instructions on how to configure your machines and join them to an Active Directory domain, see the VMware product documentation.
  • When using "local" user accounts (non ActiveDirectory accouts), create service accounts on each machine that depends on the machine type.
    • For VC machines, use the facility provided by the Windows operating system.
    • For ESX/i hosts, use the facility provided by the vSphere Client.
    • There are many ways to create local users on Windows and in ESX/i hosts, such as PowerShell scripts, Perl scripts, and so on. Use whatever method works for you to create the correct permissions needed by Splunk for VMware.
  • After you create the service account on all of your machines, you must then create a "role" in all of your vCenter and ESX/i hosts. Using the vSphere Client, create the role with the minimal permissions necessary for the Splunk for VMware solution to work. We recommend that you create a role using a common name (e.g. splunkreader).
  • Map the new service account to the new role using the permissions facility in VMware. This is how vCenter and ESX/i hosts know what operations the service account is allowed to perform. Do this using the vSphere Client.
  • After creating service accounts, roles, and assigning permissions on each machine, store the credentials for the service account (username and password) in a safe place. The credentials that you created for the VC and ESX/i hosts are used during installation to create the configuration files, engine.conf and/or credentials.conf file(s).
Last modified on 18 September, 2012
What to administer   Password obfuscation

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters