Collect VMware vCenter Server Linux Appliance log data
You can collect logs from the VMware vCenter Server Linux Appliance, using Splunk. You can:
- export vCenter logs to another system that has Splunk Enterprise installed.
- install a Splunk Forwarder on the same machine to forward the VMware vCenter Linux appliance logs. See Forward the VMware vCenter Linux appliance logs to Splunk.
The VMware vCenter Server Linux Appliance logs are stored in /var/log/vmware
.
Export vCenter logs to another system that has Splunk installed
- Enable the VMware vCenter Server Appliance to store log files on NFS storage on a system that has Splunk installed as a Heavy forwarder or as a Light forwarder. See NFS Storage on the VMware vCenter Server Appliance in the VMware vSphere documentation.
- Install Splunk_TA_vCenter on the system where the Splunk forwarder is installed.
- Copy the
inputs.conf
file from$SPLUNK_HOME/etc/Splunk_TA_vCenter/default
to$SPLUNK_HOME/etc/Splunk_TA_vCenter/local
and update the file:- Change the log path to the log path for the vCenter Server Appliance logs in the following stanzas:
[monitor://$ALLUSERSPROFILE\Application Data\VMware\VMware VirtualCenter\Logs]
[monitor://$PROGRAMFILES\VMware\Infrastructure\tomcat\logs]
- Change the log path to the log path for the vCenter Server Appliance logs in the following stanzas:
- To monitor the license file and and tomcat configuration files (optional), add a stanza in the
inputs.conf
file. The paths to these files on the VMware vCenter Server Appliance are different to those on the Linux vCenter. - If you configured the Splunk instance as a heavy forwarder, copy the
$SPLUNK_HOME/etc/Splunk_TA_vCenter/default/props.conf
file to$SPLUNK_HOME/etc/Splunk_TA_vCenter/local
and edit the localprops.conf
file:- Change the log path to the log path for the vCenter Server Appliance logs in the following Stanzas:
[source::(?-i)...\\VMware VirtualCenter\\Logs\\cim-diag.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\sms.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\stats.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vim-tomcat-shared.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-\d+.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-alert-\d+.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-profiler-\d+.log(?:.\d+)?]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vws.log(?:.\d+)?]
[source::(?-i)...\\VMware\\VMware VirtualCenter\\vpxd.cfg]
[source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-profiler-\d+.log(?:.\d+)?]
- Change the licenses path to the vCenter Server Appliance licenses path in the [source::(?-i)...\\VMware\\VMware VirtualCenter\\licenses] stanza.
- Change the tomcat conf path to the vCenter Server Appliance tomcat conf path in the [source::(?-i)...\\VMware\\Infrastructure\\tomcat\\conf] stanza.
- Change the path to the vCenter Server Appliance path in the following stanzas:
[source::...\\Application Data\\VMware\\…]
[source::...\\VMware\\Infrastructure\\…]
- Change the log path to the log path for the vCenter Server Appliance logs in the following Stanzas:
- The vpxd log format on the VMware vCenter Server Appliance is different to that on the Linux vCenter. To get field extractions to work, update the regular expression in the
[vc_vpxd_fields]
stanza of the$SPLUNK_HOME/etc/apps/Splunk_TA_vcenter/local/transforms.conf
file. - If you configured the Splunk instance as a light forwarder, then edit the stanzas in
props.conf
on the Splunk Indexers receiving the log files. See how to edit theprops.conf
file in Step 5, for Splunk configured as a heavy forwarder. - Restart Splunk.
Forward the VMware vCenter Linux appliance logs to Splunk
Install a Splunk Forwarder on the VMware vCenter Linux appliance to forward VMware vCenter Linux appliance logs to your Splunk Indexers or combined Indexer Search Head(s).
- Install a Splunk forwarder on the VMware vCenter Server Appliance. See Collect Windows vCenter log data steps 1 to 3.
- Install Splunk_TA_vCenter on the Splunk forwarder.
- Get the
Splunk_TA_vcenter-<version>-<build_number>.zip
file from the download package and put it on vCenter. - Unzip the file
Splunk_TA_vcenter-<version>-<build_number>.zip"
under$SPLUNK_HOME
. It automatically unzips into the$SPLUNK_HOME/etc/apps
directory. On a universal forwarder, the installation path is$SPLUNK_HOME/splunkforwarder/etc/apps/
.
- Get the
- Follow steps 3 to 5 of Export vCenter logs to another system that has Splunk installed.
- Restart Splunk. See "Start and stop Splunk" in the Admin Manual.
Collect Windows vCenter log data | Upgrade |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1, 3.0.2, 3.1
Feedback submitted, thanks!