Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Collect VMware vCenter Server Linux Appliance log data

You can collect logs from the VMware vCenter Server Linux Appliance, using Splunk. You can:

The VMware vCenter Server Linux Appliance logs are stored in /var/log/vmware.

Export vCenter logs to another system that has Splunk installed

  1. Enable the VMware vCenter Server Appliance to store log files on NFS storage on a system that has Splunk installed as a Heavy forwarder or as a Light forwarder. See NFS Storage on the VMware vCenter Server Appliance in the VMware vSphere documentation.
  2. Install Splunk_TA_vCenter on the system where the Splunk forwarder is installed.
  3. Copy the inputs.conf file from $SPLUNK_HOME/etc/Splunk_TA_vCenter/default to $SPLUNK_HOME/etc/Splunk_TA_vCenter/local and update the file:
    1. Change the log path to the log path for the vCenter Server Appliance logs in the following stanzas:
      [monitor://$ALLUSERSPROFILE\Application Data\VMware\VMware VirtualCenter\Logs]
      [monitor://$PROGRAMFILES\VMware\Infrastructure\tomcat\logs]
  4. To monitor the license file and and tomcat configuration files (optional), add a stanza in the inputs.conf file. The paths to these files on the VMware vCenter Server Appliance are different to those on the Linux vCenter.
  5. If you configured the Splunk instance as a heavy forwarder, copy the $SPLUNK_HOME/etc/Splunk_TA_vCenter/default/props.conf file to $SPLUNK_HOME/etc/Splunk_TA_vCenter/local and edit the local props.conf file:
    1. Change the log path to the log path for the vCenter Server Appliance logs in the following Stanzas:
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\cim-diag.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\sms.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\stats.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\vim-tomcat-shared.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-\d+.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-alert-\d+.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-profiler-\d+.log(?:.\d+)?]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\vws.log(?:.\d+)?]
      [source::(?-i)...\\VMware\\VMware VirtualCenter\\vpxd.cfg]
      [source::(?-i)...\\VMware VirtualCenter\\Logs\\vpxd-profiler-\d+.log(?:.\d+)?]
    2. Change the licenses path to the vCenter Server Appliance licenses path in the [source::(?-i)...\\VMware\\VMware VirtualCenter\\licenses] stanza.
    3. Change the tomcat conf path to the vCenter Server Appliance tomcat conf path in the [source::(?-i)...\\VMware\\Infrastructure\\tomcat\\conf] stanza.
    4. Change the path to the vCenter Server Appliance path in the following stanzas:
      [source::...\\Application Data\\VMware\\…]
      [source::...\\VMware\\Infrastructure\\…]
  6. The vpxd log format on the VMware vCenter Server Appliance is different to that on the Linux vCenter. To get field extractions to work, update the regular expression in the [vc_vpxd_fields] stanza of the $SPLUNK_HOME/etc/apps/Splunk_TA_vcenter/local/transforms.conf file.
  7. If you configured the Splunk instance as a light forwarder, then edit the stanzas in props.conf on the Splunk Indexers receiving the log files. See how to edit the props.conf file in Step 5, for Splunk configured as a heavy forwarder.
  8. Restart Splunk.

Forward the VMware vCenter Linux appliance logs to Splunk

Install a Splunk Forwarder on the VMware vCenter Linux appliance to forward VMware vCenter Linux appliance logs to your Splunk Indexers or combined Indexer Search Head(s).

  1. Install a Splunk forwarder on the VMware vCenter Server Appliance. See Collect Windows vCenter log data steps 1 to 3.
  2. Install Splunk_TA_vCenter on the Splunk forwarder.
    1. Get the Splunk_TA_vcenter-<version>-<build_number>.zip file from the download package and put it on vCenter.
    2. Unzip the file Splunk_TA_vcenter-<version>-<build_number>.zip" under $SPLUNK_HOME. It automatically unzips into the $SPLUNK_HOME/etc/apps directory. On a universal forwarder, the installation path is $SPLUNK_HOME/splunkforwarder/etc/apps/.
  3. Follow steps 3 to 5 of Export vCenter logs to another system that has Splunk installed.
  4. Restart Splunk. See "Start and stop Splunk" in the Admin Manual.
Last modified on 11 July, 2014
Collect Windows vCenter log data   Upgrade

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1, 3.0.2, 3.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters