Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Configure Splunk for ESXi logs

To configure ESXi log data collection, identify the machine to use as your data collection point and check that the ESX/i hosts are set up to forward data to that data collection point.

  • For a first time install, use an intermediate forwarder as your data collection point and manually configure hosts to forward syslog data to the intermediate forwarder.
  • In a production installation, use the host profile to set up forwarding to your intermediate forwarders or syslog server.

Configure Splunk to receive syslog data

The Splunk App for VMware can receive ESXi log data via syslog from:

  • a Splunk intermediate forwarder. 
  • a syslog server with a Splunk forwarder monitoring logs.

Note that VMware vSphere 4.1 only supports syslog data collection using a UDP port. Data collection using a TCP port is not supported.

The Splunk App for VMware supports the following ports for syslog data collection:

  • TCP port 1514.
  • UDP port 514.

WARNING: When you use an intermediate forwarder to collect ESXi logs, the Splunk App for VMware configures all hosts to send data to the identified intermediate forwarders. This overwrites the existing log host setting and replaces it with the new intermediate forwarder settings. To continue using your syslog server, see Use your syslog server in this topic.

When you use the intermediate forwarder to collect ESXi logs, Splunk Enterprise is your default log repository.

Use your syslog server

Use your syslog server, set up with a Splunk Universal Forwarder, to monitor, collect, and store ESXi log files coming from the ESXi hosts.

To use your syslog server to collect and store ESXi logs:

  1. Install a Splunk Universal Forwarder on your syslog server to forward the data from your syslog server to the Splunk instance receiving the log data. (This can be an indexer or an intermediate forwarder.)
  2. Configure forwarding on your syslog server, in the outputs.conf file, to send data to your indexer or intermediate forwarder (the Splunk instance on which Splunk_TA_esxilogs is installed). For more information about setting up forwarding for your indexers, see Configure forwarders with outputs.conf in the Forwarding Data Manual.
  3. Install Splunk_TA_esxilogs under $SPLUNKHOME/etc/apps on the machine that will receive log data from your syslog server.
  4. Create an inputs.conf file in the system/local folder (on the machine where Splunk_TA_esxilogs is installed) to monitor the esxi hosts log files. For each monitor stanza in the inputs.conf file specify the sourcetype for the data (vmw-syslog) and the index (vmware-esxilog) for the data. See "Configure your inputs" in the Getting Data in manual for more information.
  5. Assign the host field (on the machine where Splunk_TA_esxilogs is installed). This step is not required when you use an intermediate forwarder, as the Splunk App for VMware can automatically assign the host based on the original data source. The Splunk App for VMware can not determine the originating host for the data when you use a syslog server as your data store and you forward that data to the Splunk indexer. Create a local version of props.conf and transforms.conf in the $SPLUNKHOME/etc/apps/Splunk_TA_esxilogs/local/ directory and add the regular expressions to extract the host field. For example, the regular expression extraction in props.conf calls the set_host stanza of transforms.conf where the regular expression extraction extracts the host. The source and sourcetype fields are extracted by the settings in the props.conf and transforms.conf files in $SPLUNKHOME/etc/apps/Splunk_TA_esxilogs/default. Do not override these fields in the local versions of these files.

Use an intermediate forwarder

To set up forwarding to an intermediate forwarder:

  1. Install Splunk 5.0.4 on a machine identified as the intermediate forwarder. (This can be the data collection node OVA.) We recommend a ratio of 1 intermediate forwarder to 100 ESXi hosts.
  2. Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See Set up forwarding in the Distributed Deployment manual.
  3. Install the Splunk_forwarder_for_vmware package. Get the file splunk_forwarder_for_vmware-<version>-<build_number>.zip from the download package and put it in $SPLUNK_HOME.
  4. Unzip the file and check that Splunk_TA_esxilogs is in the SPLUNK_HOME/etc/apps/ directory.
  5. Use UDP port 514. As the Splunk user on the intermediate forwarder, you must have root privileges to configure data inputs. If you do not have the required privileges, use TCP port 1514.
  6. Enable the ports to receive syslog data. You can do this in Splunk Web using Manager or Settings or by manually modifying your inputs.conf file. In this example that uses Splunk Web, we use TCP port 1514.
    1. In Manager or Settings:
      1. Go to Data Inputs and add a new TCP port 1514.
      2. In the Setup screen enter the following information:
        TCP port: 1514
        Accept conditions from all hosts: yes
        Set sourcetype: Manual
        Source type: vmw-syslog
      3. Select More Settings and enter the following information:
        Set host: DNS
        Set the destination index for the source: vmware-esxilog. This is where the syslog data is sent. Do this after you have installed your app components.
    2. If you do not have access to Splunk Web, create an inputs.conf file in $SPLUNKHOME/etc/apps/Splunk_TA_esxilogs/local/ and add the following:
[tcp://1514]
disabled = 0

Configure ESXi Hosts to send data

Configure the ESXi hosts to forward log data to your syslog server or intermediate forwarder(s).

To manually configure ESXi hosts in the vSphere client:

  1. Select a host on the Hierarchy selector.
  2. Click the Configuration tab on the panel.
  3. Click Advanced Settings.
  4. In the modal dialog box, scroll down and select Syslog.
  5. Change the setting Syslog.global.loghost to the machine receiving the data. For example, enter tcp://yourmachine.yourdomain:1514. NOTE: vSphere version 4.1 only forwards to tcp. In this case, do not specify tcp://. ESXi hosts only forward to UDP port 514 or TCP port 1514. To forward to UDP port 514 check that your receiving machine is set up to do so.
  6. Click Save.
  7. Click Security Profile.
  8. Click Properties....
  9. In the modal dialog box click Firewall.
  10. Select Allow connections from any IP address or specify the connections allowed.
  11. Click Save.

Set up a Host profile

The VMware ESXi and vCenter Server documentation describes how to set up syslog from the Host Profile.

Configure all hosts remotely

The Splunk App for VMware can configure hosts remotely when you use an intermediate forwarder to collect syslog data. See Configure data collection.

Last modified on 28 March, 2014
Considerations when using tsidx namespaces   Collect Windows vCenter log data

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters