Community:VMwareESXSyslog

From Splunk Wiki

Jump to: navigation, search

How to index VMware ESX and ESXi data via syslog

On your Splunk instance

  • Make sure you have a UDP port 514 network input configured and enabled

On your ESX server(s)

  • SSH over to your ESX server. You will need sudo or root access to complete the following.
  • Edit /etc/syslog.conf with your favorite editor.
  • Add the following line to the bottom of the file. This will forward all the logs to Splunk -- a good thing.
#forward to Splunk
*.* @splunksvr.mydomain
#must have a tab between priority.facility and LOGHOST
  • Restart the syslog service:
service syslog restart
  • Open the local firewall to allow UDP over port 514:
esxcfg-firewall -o 514,udp,out,syslog
  • Reload the firewall configuration:
esxcfg-firewall -l

If you want to capture information from the /var/log/vmware/hostd.log do the following:

  • SSH over to your ESX server. You will need sudo or root access to complete the following.
  • Edit /etc/vmware/hostd/config.xml with your favorite editor and change it to look like the following:
     <log>
     <directory>/var/log/vmware/</directory>
     <name>hostd</name>
     <outputToConsole>true</outputToConsole>
     <level>info</level>
     </log>

  • Restart the ESX Management Agents:
service mgmt-vmware restart

On your ESXi server(s)

  • Login into your vMA appliance console or Remote CLI
  • Run:
vicfg-syslog --server esxhostsvr.mydomain.com -s splunksvr.mydomain.com -p 514

NOTE: As of ESXi v4.1, you can now also set the remote logging server option by going to the advanced options under the "configuration" tab of an ESXi host from the vCenter client. There will be a "option" titled "syslog" in the context tree. This value is directly modified by the above vMA command line.

Set the timezone

By default, ESX and ESXi use the UTC timezone. In order to have Splunk adjust it accordingly, add a similar line to your SPLUNK_HOME\etc\system\local\props.conf :

[host::myesx.splunk.com]
TZ=UTC

You should apply this setting at the indexer. For forwarders that are performing parsing (full), place the props settings there. If you have many hosts in separate timezones, you can leverage wildcards for the subdomains:

[host::east*]
TZ=US/Eastern

Back in Splunk

Within a few minutes, you will see VMware ESX data:

SyslogESX.png

Happy Splunking!

Retrieved from "https://wiki.splunk.com/index.php?title=Community:VMwareESXSyslog&oldid=53805"
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk