Splunk® App for VMware

Installation Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of VMW. Click here for the latest version.
Acrobat logo Download topic as PDF

Collect VMware vCenter Server Linux Appliance log data

Use the Splunk Add-on for VMware to collect logs from the VMware vCenter Server Appliance. the Splunk Add-on for VMware stores VMware vCenter Server Appliance logs in /var/log/vmware.

Export vCenter logs to an external system

  1. Install a Splunk forwarder.
  2. Enable the VMware vCenter Server Appliance to store log files on NFS storage on a system where you have installed Splunk Enterprise as a heavy forwarder or as a light forwarder. Go to NFS Storage on the VMware vCenter Server Appliance in the VMware vSphere documentation.
  3. On the system where you have installed the Splunk Enterprise forwarder, download the Splunk Add-on for VMWare and extract the Splunk_TA_vcenter package into the $SPLUNK_HOME/etc/Splunk_TA_vCenter/local directory and open file.
  4. Copy the inputs.conf file from $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/default and paste it into the $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/local directory and open file.
  5. Change the log path to the location where the vCenter Server Appliance logs data (/var/log/vmware/). Edit these stanzas in the inputs.conf file:
    Linux server appliance 6.x, 7.0
    [monitor:///var/log/vmware/vws]
    disabled = 0
    index = vmware-vclog
     
    [monitor:///var/log/vmware/vpxd]
    blacklist = (.*(gz)$)|(\\drmdump\\.*)
    disabled = 0
    index = vmware-vclog
     
    [monitor:///var/log/vmware/perfcharts]
    disabled = 0
    index = vmware-vclog
    


    Linux server appliance 6.x, 7.0 (not supported from 3.4.5)

    [monitor:///var/log/vmware/vpx]
    blacklist = (.*(gz)$)|(\\drmdump\\.*)
    disabled = 0
    index = vmware-vclog
    
  6. (Optional) If you configured Splunk Enterprise as a heavy/light forwarder and you want to monitor the license file and tomcat configuration files, follow these steps:
    1. Copy the $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/default/props.conf file and paste into the $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/local directory.
    2. Open the local props.conf file.
    3. Change the log path to where the vCenter Server Appliance logs data.
    4. Edit these stanzas:
      Linux server appliance 6.x
      [source::(?-i).../var/log/vmware/perfcharts/stats.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpxd/vpxd-\d+.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpxd/vpxd-alert-\d+.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpxd/vpxd-profiler-\d+.log(?:.\d+)?
      


      Linux server appliance 5.x (not supported from 3.4.5)

      [source::(?-i).../var/log/vmware/vpx/stats.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpx/vpxd-\d+.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpx/vpxd-alert-\d+.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpx/vpxd-profiler-\d+.log(?:.\d+)?]
      [source::(?-i).../var/log/vmware/vpx/vws.log(?:.\d+)?]
      
  7. Start Splunk Enterprise.

Forward VMware vCenter Linux appliance logs to Splunk Enterprise

  1. To forward VMware vCenter Linux appliance logs to your Splunk Enterprise indexers or search head, install a Splunk Enterprise forwarder on the VMware vCenter Linux appliance. Access to vCSA shell access has to be enabled.
  2. Install a Splunk forwarder on the VMware vCenter Server Appliance.
  3. Install Splunk_TA_vCenter package on the Splunk platform forwarder.
    1. Get the Splunk_TA_vcenter package from Splunk Add-on for VMWare and place it on vCenter.
    2. Copy theSplunk_TA_vcenter pacakgeto /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter.
  4. Copy the inputs.conf file from /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/default then paste it into the /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/local folder and open file.
  5. (Optional) If you configured Splunk Enterprise as a heavy forwarder and you want to monitor the license file and and tomcat configuration files, copy the contents of the /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/default/props.conf file and paste it into the /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/local folder.
  6. Start the Splunk Universal Forwarder.
Last modified on 24 September, 2021
PREVIOUS
Configure Splunk App for VMware to collect data from vCenter Server
  NEXT
Troubleshoot Splunk App for VMware

This documentation applies to the following versions of Splunk® App for VMware: 4.0.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters