Installation checklist

The Install checklist provides a general overview of the process involved in installing the Splunk App for VMware. It is not a substitute to the installation steps themselves.

Download the Splunk App for VMware

• Download the Splunk App for VMware from Splunk Apps. See "Download the Splunk App for VMware" in this manual for information on where the individual app package files reside. During the installation you will get the relevant package files and install them into your environment.

On your indexer/search head:

• Get the application package zip file splunk_app_vmware-<version>-<build_number>.zip from the download package.
• Install the file into $SPLUNK_HOME on each indexer/search head in your Unix or Linux environment. This contains all of the app components.
• Note: for a dedicated indexer, install the components Splunk_TA_vmware, Splunk_TA_vcenter, Splunk_TA_esxilogs, SA-Utils, and SA-Hydra into the $SPLUNK_HOME/etc/apps directory.
• Check that you have the latest versions of SA-Hydra (version 4.0.0) and SA-Utils (version 3.1.0) installed.
• Restart Splunk.
• Now that the app is installed, in Settings, set up roles for the users of the app.
• Note: For a first time install, the Setup screen is displayed. Accept all of the default options on the Setup screen.

Configure Splunk for ESXi logs

• Use your own Syslog server and forward the data to your indexer or an intermediate forwarder.
• Set up forwarding to an intermediate forwarder and then to a Splunk indexer.
  • To collect ESXi log data, in Settings select Data inputs and enable a udp (recommended) or TCP port on which you can collect syslog data. The Splunk App for VMware must have TCP port 1514 or UDP port 514 enabled to collect syslog data.

On the data collection node:

• Install the app, splunk_forwarder_for_vmware_<version>.zip, in $SPLUNK_HOME.
• Change the default Splunk password on the forwarder (the recommended method) or change the settings in the /etc/system/local/server.conf file to allow remote login to the data collection node.
• Check that you have the latest versions of SA-Hydra (version 4.0.0) and SA-Utils (version 3.1.0) installed.
• Restart Splunk.

On vCenter:

• Create users on the vCenter machine with a limited permission set.
• Check that the Distributed Collection Scheduler can access the vCenter servers forwarder (required for a universal forwarder) on port 8090 and that firewalls do not prevent communication.
• To collect log data from vCenter, get the Splunk Technology Add-on for VMware vCenter (Splunk_TA_vcenter-<version>-<build_number>.zip) from the download package.
• Check that port 443 on vCenter is open. Check that the data collection node and the search head can access port 443 on vCenter. The data collection node collects data from vCenter and the Splunk search head validates the credentials.

On your indexer/search head:

• Login to the Splunk App for VMware.
• From the App menu, select Settings > Collection Configuration.
  • Configure your data collection node credentials.
  • Configure your vCenter credentials.
    • Configure universal forwarder credentials on vCenter for vCenter log data.
• Check that you have the latest versions of SA-Hydra (version 4.0.0) and SA-Utils (version 3.1.0) installed.
• Start the Distributed Collection Scheduler.