Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Create a service account on vCenter

Manually create a limited permission service account on VMware vCenter before installing the Splunk App for VMware. This involves creating vCenter users and roles, and then assign the users to the roles. Validate the account once created.

This topic shows you how you can manually create service accounts for vCenter.

Create users

A user is required for authentication and is assigned a role in later steps for authorization. The following steps show how to create local users. If you use ActiveDirectory for authentication on your Windows OS (vCenter) machines, see the instructions in "Make users in ActiveDirectory" in this topic.

Create local users on your Windows OS (vCenter) machines

  1. Log into the Windows OS with an administrator account.
  2. Open the Windows Start menu, and click Control Panel.
  3. In the User Accounts screen, click Add or remove user accounts.
  4. In the Manage Accounts window, click Create a new account.
  5. Enter a name for the account (for example, splunksvc) and select Standard user. If you add the new user as Administrator the user will have an Administrator role in vSphere and a lesser role assigned to it will have no effect.
  6. Click Create Account.
  7. In the Manage Accounts screen, click your new user.
  8. In the Change an Account screen, click Create a password and assign a password to the user.

The new user account appears as a Standard user, and the account shows that it is Password protected. You now have a local Windows user compatible with the vSphere permissions system.

See Microsoft Windows documentation for more information.

Make users in ActiveDirectory

For machines that participate in an Active Directory (AD) domain, create a service account in the given domain using the appropriate control panel in Windows Server. Most VMware environments use a single Active Directory domain for authentication. However, if you use multiple AD domains, then create a service account in each domain that your VMware environment uses.

How to create a service account within Active Directory varies depending upon your specific environment. Detailed steps are beyond the scope of this document. Contact your AD administrator to learn how to do this correctly for your environment.

When the service account(s) in AD are created, create a role and map it to the service account just created (in AD). See "Make local users on your Windows OS (vCenter) machines."

Create roles on each vCenter machine in your environment

To create a role on vCenter:

  1. Open the vSphere client and connect to the vCenter. Log in with administrative privileges.
  2. Click Home in the path bar.
  3. Under Administration click Roles.
  4. Click the Add Role button.
  5. In the Add new Role dialog, enter a name for the role (e.g. splunkreader).
  6. Select the appropriate permissions for the role. (See "Required permissions in vSphere" in this topic.)

Required permissions in vSphere

The following table lists the permissions for the role you create in vCenter for all of the VMware versions we support. See "VMware versions supported" in this manual. Permissions are required for the data collection node to collect data from vCenter.

Setting permissions to use your own Syslog server

If you have a syslog server that you want to use to collect data from the ESXi hosts, use the following permissions:

Permission
System.Anonymous
System.Read
System.View

Note: For user-defined roles, the system-defined privileges System.Anonymous, System.Read, and System.View are always present.

Setting permissions to use a Splunk intermediate forwarder

If you configure your ESXi hosts to forward syslog data to one of more intermediate forwarders, use the following permissions:

Permission
System.Anonymous
System.Read
System.View
Host.Config.AdvancedConfig
Host.Config.NetService*

Using the vSphere client you can enable the syslog firewall for the specific hosts. By doing this you no longer require the permission Host.Config.NetService.

The Splunk best practice is to use your own Syslog server and to install a Splunk forwarder on it to forward the data.

Click OK to see your role display in the list of roles.

Assign users to roles

  1. In the vSphere client connect to the vCenter or ESXi host that contains the user and the role that you created and that you now want to link together.
  2. Go to Home. Click Inventory on an ESXi host, or click Inventory and then click the Hosts and Clusters screen on a vCenter.
  3. Right-click on the root object in the hierearchy tree (on the left), then click Add Permission from the context menu.
  4. In the Assign Permissions window, under Users and Groups click Add... .
  5. Select the user from the list that will be assigned a role (for example, splunksvc), then click Add then click OK.
  6. In the Assign Permissions window, under Assigned Role select the role you want to assign to the user from the drop down menu (for example, splunkreader).
  7. Check that the Propagate to Child Objects check box is selected. It must be checked to assign all the necesary permissions to your user.
  8. Click OK to verify that your user is listed on the permissions tab and that they have the role that you assigned to them.


Verify log in credentials

Now that you have have service accounts set up on each vCenter in your environment, you can verify that you set up your user credentials correctly. To test that your credentials work correctly on a target machine, point the vSphere Client at the machine or use a Web browser to access its Managed Object Browser (MOB).

To validate credentials for a target machine using the MOB, provide the initial URL of that machine (hostname) with /mob appended to the end:

https://<IP or DNS hostname of vCenter server or ESXi host>/mob

An Authentication Required login dialog is displayed asking for the username and password for the target machine.

To add a security exception in the browser to display the login dialog box (if required), for the specific vCenters or ESXi hosts that must be verified, enter the corresponding username and password combination for that vCenter or ESXi host.

Important: Do this validation step for each vCenter that has a service account created for it.

The service account credentials (username and password) you use to access the MOB are the same credentials used by the data collection node to get VMware data.

If your login is not successful, the login box is redisplayed without any further indication of failure. You can re-enter your username and password to ensure that you are supplying the correct credentials to the MOB. If your login remains unsuccessful, retrace the steps you followed to create the service accounts. Multiple failures usually indicate a problem in setting up the credentials when you created the user account, role, or mapping the permissions.

If you successfully log in to the MOB, then a Web browser is displayed for each vCenter and it contains the following information:

  • Managed Object Type
  • Managed object Id
  • Properties
  • Methods

Your service account is now set up correctly. Do this for each vCenter that you monitor using the Splunk App for VMware.

Note: Log in to the vCenter machine or the ESXi host using the vSphere Client to test that you created valid user credentials. If you can point the vSphere Client at each machine and log in successfully using the corresponding credentials, then the service accounts are set up correctly. This is effectively the same as logging in to the target machine's MOB.

Last modified on 09 October, 2014
Install a license   Download the Splunk App for VMware from Splunk Apps

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1, 3.0.2, 3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters