Splunk® App for VMware

Installation Guide

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of VMW. Click here for the latest version.
Acrobat logo Download topic as PDF

Configure ports

Collect data from vCenter Server systems using the VMware API

The Splunk App for VMware relies on the Splunk Add-on for VMware to use the VMware API to collect data about your virtual environment. The Splunk Add-on for VMware communicates with vCenter Server using network ports and Splunk management ports.


This table lists the components that communicate with each other and the ports they use to communicate.

Sender Receiver Port number Description
Collection Configuration vCenter server 443 Uses port 443 to connect to the vCenter Server to verify that the vCenter Server credentials are valid. It uses this port to discover the number of managed ESXi hosts in the environment.
Splunk Add-on for VMware Data Collection Node 8089 Connects to the Data Collection Node (DCN) on the default Splunk management port, TCP 8089.
Collection Configuration Data Collection Node 8008 When the DCN and Splunk App for VMware have established a connection, the Collection Configuration dashboard, which typically runs on the search head, allocates data collection jobs to the DCN on the TCP port 8008 (gateway port). In your environment, if another service uses port 8008, you can configure a different port for communication between the data collection node and the gateway. Data collection nodes do not have to communicate on the same port.
gateway_port = 8008

To change the ports for each data collection node individually, set the port in each stanza.

Data Collection Node (DCN) vCenter Server 443 Communicates with vCenter Server API on port 443 to execute the data collection tasks allocated to it.
Data Collection Node Splunk indexer 9997 Uses port 9997 to forward data it has retrieved from the vCenter Server using the API.

After Splunk App for VMware establishes a connection with vCenter Server, the DCN uses port 443 to obtain the credentials for vCenter Server. The DCN uses port 443 to determine the kind of data to collect, such as performance, inventory, or hierarchy data. Splunk App for VMware sends information to the data collection nodes using port 8008 about the information they need to collect from a specific vCenter Server system. The DCN retrieves the data from vCenter Server and forwards the data to the Splunk indexer on port 9997.

Collect log data from vCenter Server systems and ESXi hosts

You can collect log data from the vCenter Server system and the ESXi hosts in your environment. This table describes how the entities in your environment communicate.

Sender Receiver Port number Description
vCenter server Splunk indexer 9997 To send log data from the vCenter Server system on port 9997, install the Splunk Universal Forwarder and the Splunk_TA_vcenter on the vCenter Server system. If firewall issues prevent you from installing the Splunk App for VMware components on vCenter Server, forward the vCenter Server log data to the data collection node (DCN). The DCN contains all of the components required to collect vCenter Server log data. Forward this data from the DCN to Splunk indexers.
ESXi host DCN/ Syslog server TCP port 1514 / UDP port 514 Prior to ESXi version 5.5, ESXi versions supported either TCP or UDP, but not always both. For an environment with fewer than 40 ESXi hosts, send syslog traffic to the DCN. In a larger production environment, use a central syslog server with a Splunk Universal Forwarder and Splunk_TA_esxilogs add-on installed on it. Alternatively, you can send syslog to another DCN virtual machine dedicated to run as a syslog server for the ESXi hosts.
Last modified on 09 May, 2019
Validate vCenter Servers time synchronization settings
Prepare to host a data collection node

This documentation applies to the following versions of Splunk® App for VMware: 3.4.1, 3.4.2, 3.4.3, 3.4.4

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters