Splunk® App for VMware

Installation and Configuration Guide

Download manual as PDF

Download topic as PDF

Create vCenter service accounts

Configure users and roles for vCenter

To create service accounts for the Splunk for VMware solution, you first need to create vCenter users, create roles, and then assign the users to the roles. This topic shows you how you can do this for vCenter.

Create users

A user is required for authentication and is assigned a role in later steps for authorization. The following steps show how to create local users. If you are using ActiveDirectory for authentication on your Windows OS (vCenter) machines and / or your ESX/i hosts, please skip to the "Make users in ActiveDirectory" section below.

Make local users on your Windows OS (vCenter) machines

Perform these steps to create a local user on each of your vCenter machines.

  1. Log into the Windows OS with an administrator account.
  2. Open the WindowsStart menu, then click Control Panel.
  3. In the User Accounts screen, click Add or remove user accounts.
  4. In the Manage Accounts window, click Create a new account.
  5. Enter a name for the account (e.g. splunksvc) and select Standard user. Note if you add the new user as Administrator the user will automatically have an Administrator role in vSphere and a lesser role assigned to it will have no effect.
  6. Click Create Account.
  7. In the Manage Accounts screen now click on your new user.
  8. In the Change an Account screen, click Create a password and assign the user a password.
  9. The new user account is displayed as a Standard user and the account shows that it is Password protected.
  10. You now have a local Windows user compatible with the vSphere permissions system.

See Microsoft Windows documentation for further information.

Make users in ActiveDirectory

In a VMware environment, you can join your ESX/i hosts to an ActiveDirectory domain for authentication. Service accounts have to be created on all ESX/i hosts for the Splunk for VMware solution to work correctly. If any of your machines are not configured to use AD authentication, then you must create a "local" user on each one (see the relevant sections above for steps on how to do that).

For machines that are participating in an AD domain, you must create a service account in the given domain using the appropriate control panel in Windows Server. Most VMware environments use a single AD domain for authentication. However, if you are using multiple AD domains, then you must create a service account in each domain that your VMware environment is using.

How to create a service account within AD can vary depending upon your specific environment. Detailed steps are beyond the scope of this document. Contact your AD administrator to learn how to do this correctly for your environment. Here is an article that also may be helpful: http://technodrone.blogspot.com/2010/07/esxi-41-active-directory-integration.html.

After you have created the service account(s) in AD, you must create a role and map it to the service account you just created (in AD). The procedure is the same as that for creating local accounts. Follow the instructions in Create roles on each Esx/i host.

Create roles

You need to create roles on each vCenter machine.

To create a role on vCenter:

  1. Open up the vSphere client and connect to the vCenter. Log in with administrative privileges.
  2. Click Home in the path bar.
  3. Under Administration click Roles.
  4. Click the Add Role button.
  5. In the Add new Role dialog, enter a name for the role (e.g. splunkreader).
  6. Select the appropriate permissions for the role (see Required permissions in vSphere below).

Required permissions in vSphere

The following table lists the permissions for the role you create in vCenter for all of the VMware versions we support (5.0, 5.0 update 1, and 5.1). This is required so that the Forwarder Appliance can collect data from the VC.

Permission
Global.Diagnostics
Global.Licenses
Global.Settings
Host.Configuration.Change SNMP settings
Host.Configuration.Hyperthreading
Host.Configuration.Memory configuration
Host.Configuration.Network configuration
Host.Configuration.Power
Host.Configuration.Security profile and firewall
Host.Configuration.Storage partition configuration
Sessions.View and stop sessions
System.Anonymous*
System.Read*
System.View*

Click OK and you should see your role in the list of roles. If so, then you're done!

Note: For user-defined roles, the system-defined privileges "System.Anonymous", "System.Read", and "System.View" are always present.


Spl vmw editmakerole.png


Assign users to roles

  1. In the vSphere client and connect to the vCenter or ESX/i host that contains the user and role you created and now want to link together.
  2. Go to the Home->Inventory->Inventory screen on an ESX/i host or the Home->Inventory->Hosts and Clusters screen on a vCenter.
  3. Right-click on the root object in the tree on the left and click "Add Permission" from the context menu.
  4. On the left of the Assign Permissions window, under Users and Groups click Add... .
  5. Select the user you wish to assign a role to (e.g. splunksvc) from the list box and click Add then click OK.
  6. On the right of the Assign Permissions window, under Assigned Role select the role you wish to assign to the user from the pull down menu (e.g. splunkreader).
  7. Make sure the Propagate to Child Objects check box is ticked, without it your user will not have all of the necessary permissions.
  8. Click OK and verify that your user is listed on the permissions tab and has the role you assigned.

Spl vmw assignpermissions.png

Verifying log in credentials

Now that you have have service accounts set up on each VC and ESX/i host in your environment, you can verify that you set up your user credentials correctly for each one. To test that your credentials work correctly on a target machine, you can point the vSphere client at the machine or you can use a web browser to access its Managed Object Browser (MOB).

To validate credentials for a target machine using the MOB, provide the initial URL of that machine (hostname) with /mob appended to the end:

       https://<IP or DNS hostname of vCenter server or ESX/i host>/mob

You will be presented with a login dialog box, similar to the one shown here:

Spl vmw mob auth req dialog.jpg

In some cases you may need to "add a security exception" in the browser to display the login dialog box. For the specific VC or ESX/i host that you are verifying, enter the corresponding username / password combination for that VC or ESX/i host.

Important: Do this validation step for each VC or ESX/i host that you created a service account for in the steps above. Creating a service account for a VC and validating that it works on the VC does not mean that it will also work on the ESX/i hosts in your environment. VC and ESX/i hosts have completely independent security subsystems. You must do the creation / mapping steps, as shown in this topic, for each VC and ESX/i host independently, and validate each one independently.

The service account credentials (username / password) you use to access the MOB are the same credentials used by the FA to get VMware data. You will use these credentials in your engine.conf and / or credentials.conf file(s) in a later installation step. If the credentials are not properly verified, the solution will not work properly. Although login problems are placed into the solution logs, they are nonetheless a pain to diagnose after the fact. It is much easier to make sure the service account credentials work properly beforehand.

If your login is not successful, then it will simply display the login box again with no further indication of failure. Try re-entering your username / password combination a few times to ensure that a typing error is not preventing you from accessing the MOB. If your login remains unsuccessful, retrace the steps you followed to create the service accounts. Multiple failures usually indicates that there was a problem setting up the credentials when you created the user account, role, or mapping the permissions. Re-trace your creation steps (above) for this particular machine to fix the issue.

If you are successful logging into the MOB, then a Web page similar to the following is displayed for each VC or ESX/i host:

Spl vmw mob service instance page.jpg

Congratulations! Your service account is set up correctly! Now just remember to do this for each VC and ESX/i host that you will add to the Splunk for VMware Solution and you will be all set.

Note: You can also test that you created valid user credentials by logging into the VC machine or ESX/i host using the vSphere Client. If you can point the vSphere Client at each machine and log in successfully using the corresponding credentials, then you have correctly set up the service account. If is effectively the same as logging into the target machine's MOB.

This documentation applies to the following versions of Splunk® App for VMware: 3.4.5


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters