Create a service account on vCenter
Manually create a limited permission service account on VMware vCenter before installing the Splunk App for VMware. This involves creating vCenter users and roles, and then assign the users to the roles. Validate the account once created.
This topic shows you how you can manually create service accounts for vCenter.
Create users
A user is required for authentication and is assigned a role in later steps for authorization. The following steps show how to create local users. If you use ActiveDirectory for authentication on your Windows OS (vCenter) machines, see the instructions in "Make users in ActiveDirectory" in this topic.
Create local users on your Windows OS (vCenter) machines
- Log into the Windows OS with an administrator account.
- Open the Windows Start menu, and click Control Panel.
- In the User Accounts screen, click Add or remove user accounts.
- In the Manage Accounts window, click Create a new account.
- Enter a name for the account (for example, splunksvc) and select Standard user. If you add the new user as Administrator the user will have an Administrator role in vSphere and a lesser role assigned to it will have no effect.
- Click Create Account.
- In the Manage Accounts screen, click your new user.
- In the Change an Account screen, click Create a password and assign a password to the user.
The new user account appears as a Standard user, and the account shows that it is Password protected. You now have a local Windows user compatible with the vSphere permissions system.
See Microsoft Windows documentation for more information.
Make users in ActiveDirectory
For machines that participate in an Active Directory (AD) domain, create a service account in the given domain using the appropriate control panel in Windows Server. Most VMware environments use a single Active Directory domain for authentication. However, if you use multiple AD domains, then create a service account in each domain that your VMware environment uses.
How to create a service account within Active Directory varies depending upon your specific environment. Detailed steps are beyond the scope of this document. Contact your AD administrator to learn how to do this correctly for your environment.
When the service account(s) in AD are created, create a role and map it to the service account just created (in AD). See "Make local users on your Windows OS (vCenter) machines."
Create roles on each vCenter machine in your environment
To create a role on vCenter:
- Open the vSphere client and connect to the vCenter. Log in with administrative privileges.
- Click Home in the path bar.
- Under Administration click Roles.
- Click the Add Role button.
- In the Add new Role dialog, enter a name for the role (e.g. splunkreader).
- Select the appropriate permissions for the role. (See "Required permissions in vSphere" in this topic.)
Required permissions in vSphere
The following table lists the permissions for the role you create in vCenter for all of the VMware versions we support. See "VMware versions supported" in this manual. Permissions are required for the data collection node to collect data from vCenter.
Setting permissions to use your own Syslog server
If you have a syslog server that you want to use to collect data from the ESXi hosts, use the following permissions:
Permission |
---|
System.Anonymous |
System.Read |
System.View |
Note: For user-defined roles, the system-defined privileges System.Anonymous, System.Read, and System.View are always present.
Setting permissions to use a Splunk intermediate forwarder
If you configure your ESXi hosts to forward syslog data to one of more intermediate forwarders, use the following permissions:
Permission |
---|
System.Anonymous |
System.Read |
System.View |
Host.Config.AdvancedConfig |
Host.Config.NetService* |
Using the vSphere client you can enable the syslog firewall for the specific hosts. By doing this you no longer require the permission Host.Config.NetService.
The Splunk best practice is to use your own Syslog server and to install a Splunk forwarder on it to forward the data.
Click OK to see your role display in the list of roles.
Assign users to roles
- In the vSphere client connect to the vCenter or ESXi host that contains the user and the role that you created and that you now want to link together.
- Go to Home. Click Inventory on an ESXi host, or click Inventory and then click the Hosts and Clusters screen on a vCenter.
- Right-click on the root object in the hierearchy tree (on the left), then click Add Permission from the context menu.
- In the Assign Permissions window, under Users and Groups click Add... .
- Select the user from the list that will be assigned a role (for example, splunksvc), then click Add then click OK.
- In the Assign Permissions window, under Assigned Role select the role you want to assign to the user from the drop down menu (for example, splunkreader).
- Check that the Propagate to Child Objects check box is selected. It must be checked to assign all the necesary permissions to your user.
- Click OK to verify that your user is listed on the permissions tab and that they have the role that you assigned to them.
Verify log in credentials
Now that you have have service accounts set up on each vCenter in your environment, you can verify that you set up your user credentials correctly. To test that your credentials work correctly on a target machine, point the vSphere Client at the machine or use a Web browser to access its Managed Object Browser (MOB).
To validate credentials for a target machine using the MOB, provide the initial URL of that machine (hostname) with /mob
appended to the end:
https://<IP or DNS hostname of vCenter server or ESXi host>/mob
An Authentication Required login dialog is displayed asking for the username and password for the target machine.
To add a security exception in the browser to display the login dialog box (if required), for the specific vCenters or ESXi hosts that must be verified, enter the corresponding username and password combination for that vCenter or ESXi host.
Important: Do this validation step for each vCenter that has a service account created for it.
The service account credentials (username and password) you use to access the MOB are the same credentials used by the data collection node to get VMware data.
If your login is not successful, the login box is redisplayed without any further indication of failure. You can re-enter your username and password to ensure that you are supplying the correct credentials to the MOB. If your login remains unsuccessful, retrace the steps you followed to create the service accounts. Multiple failures usually indicate a problem in setting up the credentials when you created the user account, role, or mapping the permissions.
If you successfully log in to the MOB, then a Web browser is displayed for each vCenter and it contains the following information:
- Managed Object Type
- Managed object Id
- Properties
- Methods
Your service account is now set up correctly. Do this for each vCenter that you monitor using the Splunk App for VMware.
Note: Log in to the vCenter machine or the ESXi host using the vSphere Client to test that you created valid user credentials. If you can point the vSphere Client at each machine and log in successfully using the corresponding credentials, then the service accounts are set up correctly. This is effectively the same as logging in to the target machine's MOB.
Installation checklist | Download the Splunk App for VMware from Splunk Apps |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1, 3.0.2, 3.1
Feedback submitted, thanks!