Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Installation checklist

The Install checklist provides a general overview of the process involved in installing the Splunk App for VMware. It is not a substitute to the installation steps themselves.

Download the Splunk App for VMware

  • Download the Splunk App for VMware from Splunk Apps. See "Download the Splunk App for VMware" in this manual for information on where the individual app package files reside. During the installation you will get the relevant package files and install them into your environment.

On your indexer/search head:

  • Get the application package zip file splunk_app_vmware-<version>-<build_number>.zip from the download package.
  • Install the file into $SPLUNK_HOME on each indexer/search head in your environment. This contains all of the app components.
  • Note: for a dedicated indexer, install the components Splunk_TA_vmware, Splunk_TA_vcenter, Splunk_TA_esxilogs, SA-Utils, and SA-Hydra into the $SPLUNK_HOME/etc/apps directory.
  • Restart Splunk.
  • Now that the app is installed, in Manager, set up roles for the users of the app.
  • Note: For a first time install, the Setup screen is displayed. Accept all of the default options on the Setup screen.

Configure Splunk for ESXi logs

  • Use your own Syslog server ( not documented here) and forward the data to your an indexer.
  • Set up forwarding to an intermediate forwarder and then to a Splunk indexer.
    • To collect ESXi log data, in Manager select Data inputs and enable a udp (recommended) or TCP port on which you can collect syslog data. The Splunk App for VMware must have TCP port 1514 or UDP port 514 enabled to collect syslog data.

On the data collection node:

  • Install the app, splunk_forwarder_for_vmware_<version>.zip, in $SPLUNK_HOME.
  • Change the default Splunk password on the forwarder (the recommended method) or change the settings in the /etc/system/local/server.conf file to allow remote login to the data collection node.
  • Restart Splunk.

On vCenter:

  • Create users on the vCenter machine with a limited permission set.
  • Check that the scheduler can access the vCenter servers forwarder (required for a universal forwarder) on port 8090 and that firewalls do not prevent communication.
  • To collect log data from vCenter, get the Splunk Technology Add-on for VMware vCenter (Splunk_TA_vcenter-<version>-<build_number>.zip) from the download package.
  • Check that port 443 on vCenter is open. Check that the data collection node and the search head can access port 443 on vCenter. The data collection node collects data from vCenter and the Splunk search head validates the credentials.

On your indexer/search head:

  • Login to the Splunk App for VMware.
  • From the App menu, select Settings, then Collection Configuration.
    • Configure your data collection node credentials.
    • Configure your vCenter credentials.
      • Configure universal forwarder credentials on vCenter for vCenter log data.
      • Configure the collection of ESXi log (Syslog) data when using intermediate forwarders.
  • Start the scheduler.
Last modified on 01 April, 2014
Plan your deployment   Create a service account on vCenter

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1, 3.0.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters