Collect VMware vCenter Server Linux Appliance log data
Use the Splunk Add-on for VMware to collect logs from the VMware vCenter Server Appliance. the Splunk Add-on for VMware stores VMware vCenter Server Appliance logs in /var/log/vmware.
- Export vCenter logs to another system where you have installed Splunk Enterprise.
- Install a Splunk Enterprise forwarder on the same machine to forward the VMware vCenter Linux appliance logs. Go to Forward VMware vCenter Linux appliance logs to Splunk Enterprise.
Export vCenter logs to an external system
- Install a Splunk forwarder.
- Download a Universal Forwarder.
- Install the Universal Forwarder. Go to Install Universal Forwarder on *nix in the Splunk Universal Forwarder Manual.
- Enable the VMware vCenter Server Appliance to store log files on NFS storage on a system where you have installed Splunk Enterprise as a heavy forwarder or as a light forwarder. Go to NFS Storage on the VMware vCenter Server Appliance in the VMware vSphere documentation.
- On the system where you have installed the Splunk Enterprise forwarder, download the Splunk Add-on for VMWare and extract the Splunk_TA_vcenter package into the $SPLUNK_HOME/etc/Splunk_TA_vCenter/local directory and open file.
- Copy the inputs.conf file from $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/default and paste it into the $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/local directory and open file.
- Change the log path to the location where the vCenter Server Appliance logs data (/var/log/vmware/). Edit these stanzas in the inputs.conf file:
Linux server appliance 6.x, 7.0[monitor:///var/log/vmware/vws] disabled = 0 index = vmware-vclog [monitor:///var/log/vmware/vpxd] blacklist = (.*(gz)$)|(\\drmdump\\.*) disabled = 0 index = vmware-vclog [monitor:///var/log/vmware/perfcharts] disabled = 0 index = vmware-vclog
Linux server appliance 6.x, 7.0 (not supported from 3.4.5)[monitor:///var/log/vmware/vpx] blacklist = (.*(gz)$)|(\\drmdump\\.*) disabled = 0 index = vmware-vclog
- (Optional) If you configured Splunk Enterprise as a heavy/light forwarder and you want to monitor the license file and tomcat configuration files, follow these steps:
- Copy the $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/default/props.conf file and paste into the $SPLUNK_HOME/etc/apps/Splunk_TA_vCenter/local directory.
- Open the local props.conf file.
- Change the log path to where the vCenter Server Appliance logs data.
- Edit these stanzas:
Linux server appliance 6.x[source::(?-i).../var/log/vmware/perfcharts/stats.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpxd/vpxd-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpxd/vpxd-alert-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpxd/vpxd-profiler-\d+.log(?:.\d+)?
Linux server appliance 5.x (not supported from 3.4.5)[source::(?-i).../var/log/vmware/vpx/stats.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpx/vpxd-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpx/vpxd-alert-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpx/vpxd-profiler-\d+.log(?:.\d+)?] [source::(?-i).../var/log/vmware/vpx/vws.log(?:.\d+)?]
- Start Splunk Enterprise.
Forward VMware vCenter Linux appliance logs to Splunk Enterprise
- To forward VMware vCenter Linux appliance logs to your Splunk Enterprise indexers or search head, install a Splunk Enterprise forwarder on the VMware vCenter Linux appliance. Access to vCSA shell access has to be enabled.
- Install a Splunk forwarder on the VMware vCenter Server Appliance.
- Install Splunk_TA_vCenter package on the Splunk platform forwarder.
- Get the Splunk_TA_vcenter package from Splunk Add-on for VMWare and place it on vCenter.
- Copy theSplunk_TA_vcenter pacakgeto /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter.
- Copy the inputs.conf file from /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/default then paste it into the /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/local folder and open file.
- (Optional) If you configured Splunk Enterprise as a heavy forwarder and you want to monitor the license file and and tomcat configuration files, copy the contents of the /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/default/props.conf file and paste it into the /opt/splunkforwarder/etc/apps/Splunk_TA_vcenter/local folder.
- Start the Splunk Universal Forwarder.
Configure Splunk App for VMware to collect data from vCenter Server | Troubleshoot Splunk App for VMware |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 4.0.4
Feedback submitted, thanks!