Collect data from vCenter Server systems using the VMware API
The Splunk App for VMware relies on the Splunk Add-on for VMware to use the VMware API to collect data about your virtual environment. The Splunk Add-on for VMware communicates with vCenter Server using network ports and Splunk management ports.
This table lists the components that communicate with each other and the ports they use to communicate.
|Collection Configuration||vCenter server||443||Uses port 443 to connect to the vCenter Server to verify that the vCenter Server credentials are valid. It uses this port to discover the number of managed ESXi hosts in the environment.|
|Splunk Add-on for VMware||Data Collection Node||8089||Connects to the Data Collection Node (DCN) on the default Splunk management port, TCP 8089.|
|Collection Configuration||Data Collection Node||8008||When the DCN and Splunk App for VMware have established a connection, the Collection Configuration dashboard, which typically runs on the search head, allocates data collection jobs to the DCN on the TCP port 8008 (gateway port). In your environment, if another service uses port 8008, you can configure a different port for communication between the data collection node and the gateway. Data collection nodes do not have to communicate on the same port.
[default] gateway_port = 8008
To change the ports for each data collection node individually, set the port in each stanza.
|Data Collection Node (DCN)||vCenter Server||443||Communicates with vCenter Server API on port 443 to execute the data collection tasks allocated to it.|
|Data Collection Node||Splunk indexer||9997||Uses port 9997 to forward data it has retrieved from the vCenter Server using the API.|
After Splunk App for VMware establishes a connection with vCenter Server, the DCN uses port 443 to obtain the credentials for vCenter Server. The DCN uses port 443 to determine the kind of data to collect, such as performance, inventory, or hierarchy data. Splunk App for VMware sends information to the data collection nodes using port 8008 about the information they need to collect from a specific vCenter Server system. The DCN retrieves the data from vCenter Server and forwards the data to the Splunk indexer on port 9997.
Collect log data from vCenter Server systems and ESXi hosts
You can collect log data from the vCenter Server system and the ESXi hosts in your environment. This table describes how the entities in your environment communicate.
|vCenter server||Splunk indexer||9997||To send log data from the vCenter Server system on port 9997, install the Splunk Universal Forwarder and the Splunk_TA_vcenter on the vCenter Server system. If firewall issues prevent you from installing the Splunk App for VMware components on vCenter Server, forward the vCenter Server log data to the data collection node (DCN). The DCN contains all of the components required to collect vCenter Server log data. Forward this data from the DCN to Splunk indexers.|
|ESXi host||DCN/ Syslog server||TCP port 1514 / UDP port 514||Prior to ESXi version 6.x, ESXi versions supported either TCP or UDP, but not always both. For an environment with fewer than 40 ESXi hosts, send syslog traffic to the DCN. In a larger production environment, use a central syslog server with a Splunk Universal Forwarder and Splunk_TA_esxilogs add-on installed on it. Alternatively, you can send syslog to another DCN virtual machine dedicated to run as a syslog server for the ESXi hosts.|
|vCenter Servert||DCN/ Syslog server||TCP Port 1517||To send log data from vCenter Linux Server on port 1517 use Syslog-ng/rsyslog. See Collect vCenter Server Appliance logs via syslog.|
Validate vCenter Servers time synchronization settings
Prepare to host a data collection node
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 4.0.4