Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Configure default properties for the FA VM

The FA VM has default values set for certain properties. You can change the default values to suit your environment. The instructions to do this are provided in this topic. The following table lists some of the properties you can change:

Property Description
default passwords The FA VM automatically comes with 2 built-in user accounts and passwords; the admin account (splunkadmin / changeme) and root (root / changemenow). We encourage you to change the passwords. To do so, see change default passwords in this topic.
OS Hostname The FA VM automatically gets a default OS hostname (splunkvmwarefa). To change the hostname to suit your environment, see Set the FA VM's OS hostname in this topic. In this example we set the OS Hostname to splunkfa1.
Splunk "OS Hostname"-related settings The FA VM comes pre-installed with a Splunk forwarder, but certain configuration settings must be given the same value as the OS Hostname. To change these Splunk settings to the new OS Hostname you set, see Set the 'OS hostname'-related settings in the FA VM's Splunk instance in this topic.
IP Address The FA VM gets an IP Address using DHCP. After deploying the FA VM, you can change this to a static IP address. For more information, see Set static IP addresses in this topic.
Timezone The FA VM has its timezone set to "US/Pacific" by default. We highly recommend that you set the correct timezone so that your FA VM will report time in a zone that you can easily understand. To change the timezone to suit your needs, see Set the timezone in the FA VM in this topic.
NTP NTP is set automatically using the default CentOS time server pool. To change the NTP servers that your FA M uses, see Change_the_NTP_server_pool_list in this topic.


Change the default passwords

We recommend that you change the FA VM's default passwords for both built-in users (splunkadmin and root):

  1. Log in as user=splunkadmin and password=changeme.
  2. Run the "passwd" command to change the password for the splunkadmin user.
    3. passwd
  3. Logout (hit CTRL-D, or run the command "logout")
  4. Log back into the FA VM as user=root and password=changemenow.
  5. Run the "passwd" command to change the password for the root user.
    6. passwd
  6. Logout (hit CTRL-D, or run the command "logout")
  7. Note: Make sure to store your new passwords in a safe place where you will not forget them.


Set the FA VM's OS hostname

We recommend that you set the FA VM's hostname to one that is appropriate for your environment:

  1. Log in as user=splunkadmin and password=changeme.
  2. Using a text editor such as vi, edit the /etc/sysconfig/network file. You may need to enter the splunkadmin password if you haven't run sudo recently. 
    cd /etc/sysconfig
sudo vi network
  3. Substitute the hostname parameter with your own value.
    4. HOSTNAME=splunkfa1.company.com
  4. After editing this file, run the hostname command and restart the networking service for the changes to take effect. If you plan to set a static IP address in the FA VM, you can wait until you have completed that step (see below) before restarting the networking service - just omit the second command.
    5. sudo hostname splunkfa1.company.com
sudo /etc/init.d/network restart

Set the "OS hostname"-related settings in the FA VM's Splunk instance

Important: Do not forget to do this step! You must make the following changes as the splunkadmin user using the admin account (splunkadmin / changeme)

  1. At the command line, stop Splunk:
    2. splunk stop
cd $SPLUNK_HOME/etc/system/local
  2. Using a text editor (such as "vi"), modify the "host" setting in the inputs.conf file. Substitute the current value with the initial portion of the "OS hostname" value you set above (e.g. "splunkfa1"):
    3. host = splunkfa1
  3. Save the inputs.conf file and exit.
  4. In the same directory, use a text editor to modify the "serverName" setting in the server.conf file. Substitute the current value with the same value that you set in the inputs.conf file (e.g. "splunkfa1"):
    5. serverName = splunkfa1
  5. Save the server.conf file and exit.

Note: You do not need to start Splunk after completing this step. Splunk will be started later in the installation process, after configuration files have been created.

Set static IP addresses

While not required, we recommend that you set a static IP address for the FA VM. Using DHCP (dynamic addressing) can cause the FA's IP address to vary over time, and this can cause unexpected results. Connecting to a specific FA can become difficult (especially if DNS is down). You may want to connect to the FA to perform maintenance or to determine which FA VM is sending data.

It is best to log in as the splunkadmin user to make changes to the FA VM.

To set a static IP address on the FA:

  1. Using a text editor (such as vi) edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file. 
    2. cd /etc/sysconfig/network-scripts/
sudo vi ifcfg-eth0
  2. Substitute the IPADDR and NETMASK values as appropriate for your environment. If BOOTPROTO is set to dhcp, change it to static or none.
    3. DEVICE=eth0
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPADDR=10.33.17.142
NETMASK=255.255.255.0
  3. Save your changes to the file and exit.
  4. Set your default gateway by editing the /etc/sysconfig/network file: 
    5. cd /etc/sysconfig
sudo vi network
  5. Add the gateway parameter on its own line at the end of the file using the IP address of the FA's default gateway (router interface).
    6. GATEWAY=192.168.0.1
  6. Save your changes to the file and exit.
  7. Modify the /etc/resolv.conf file to update the DNS settings: 
    8. sudo vi /etc/resolv.conf
  8. Substitute the existing parameters with your own. 
    search company.com
nameserver 192.168.0.7
nameserver 192.168.0.8
  9. Save your changes to the file and exit.
  10. Restart the networking service: 
    11. sudo /etc/init.d/network restart

Other related Links:


Set the timezone in the FA VM

You must change the timezone in the FA VM if you are not in the (default) PST timezone otherwise the time stamp in your log files will not match the timezone within the VMware installation you are monitoring. To make this change, log in as user=splunkadmin and password=changeme. Replace the default by creating a link to the file /etc/localtime.

1. Run the following command on the command line to see what timezone your system is set to: 

   date

2. In the Timezone folder, select the file that corresponds to your location and note the name of the folder and the file name for your timezone: 

   cd /usr/share/zoneinfo

3. Backup the existing localtime file: 

   sudo mv /etc/localtime /etc/localtime.bak

4. Create a link to the file /etc/localtime. For example, to select the timezone for New York, use the command: 

   sudo ln -s /usr/share/zoneinfo/America/New_York /etc/localtime

5. To test that the correct time, date, and timezone are reported, run: 

   date

The output is: 

   Thu Jan 26 13:07:44 EST 2012

Other related links:

Change the NTP server pool list

The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. Most *Nix systems provide you with the ability to set up or change time synchronization.

Other related references: For more information about NTP and configuring NTP, see the following articles:

You can change the NTP servers that your FA VM uses by editing the /etc/ntp.conf file.

The default values for the servers in /etc/ntp.conf are: 

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org

To use different NTP servers, replace the default values in the file with your specific values. Restart ntpd for the changes to take effect. 

sudo service ntpd restart

Disable NTP on the FA VM

If you do not have access to the internet you can disable NTP on the FA VM. This can happen when you are operating behind a firewall that precludes access to the Internet. If you disable NTP, re-enable VMware Tools Clock Synchronization which gets the FA's time from the underlying ESX/i host. Log in and execute the following commands as the splunkadmin user.

  1. Stop ntpd service and configure it so that it does not run at system startup:
    2. sudo service ntpd stop
sudo chkconfig ntpd off
  2. Enable timesync:
    3. vmware-toolbox-cmd timesync enable
  3. Check that timesync is enabled correctly:
    4. vmware-toolbox-cmd timesync status
Last modified on 20 June, 2012
Install the FA VM   Install the Perl API package into the FA VM

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters