Community:VMwareESXSyslog
From Splunk Wiki
How to index VMware ESX and ESXi data via syslog
On your Splunk instance
- Make sure you have a UDP port 514 network input configured and enabled
On your ESX server(s)
- SSH over to your ESX server. You will need sudo or root access to complete the following.
- Edit
/etc/syslog.conf
with your favorite editor. - Add the following line to the bottom of the file. This will forward all the logs to Splunk -- a good thing.
#forward to Splunk
*.* @splunksvr.mydomain
#must have a tab between priority.facility and LOGHOST
- Restart the syslog service:
service syslog restart
- Open the local firewall to allow UDP over port 514:
esxcfg-firewall -o 514,udp,out,syslog
- Reload the firewall configuration:
esxcfg-firewall -l
If you want to capture information from the /var/log/vmware/hostd.log
do the following:
- SSH over to your ESX server. You will need sudo or root access to complete the following.
- Edit
/etc/vmware/hostd/config.xml
with your favorite editor and change it to look like the following:
<log>
<directory>/var/log/vmware/</directory>
<name>hostd</name>
<outputToConsole>true</outputToConsole>
<level>info</level>
</log>
- Restart the ESX Management Agents:
service mgmt-vmware restart
On your ESXi server(s)
- Login into your vMA appliance console or Remote CLI
- Run:
vicfg-syslog --server esxhostsvr.mydomain.com -s splunksvr.mydomain.com -p 514
NOTE: As of ESXi v4.1, you can now also set the remote logging server option by going to the advanced options under the "configuration" tab of an ESXi host from the vCenter client. There will be a "option" titled "syslog" in the context tree. This value is directly modified by the above vMA command line.
Set the timezone
By default, ESX and ESXi use the UTC timezone. In order to have Splunk adjust it accordingly, add a similar line to your SPLUNK_HOME\etc\system\local\props.conf :
[host::myesx.splunk.com]
TZ=UTC
You should apply this setting at the indexer. For forwarders that are performing parsing (full), place the props settings there. If you have many hosts in separate timezones, you can leverage wildcards for the subdomains:
[host::east*]
TZ=US/Eastern
Back in Splunk
Within a few minutes, you will see VMware ESX data:
Happy Splunking!