topic Re: ESX Syslog - vmkwarning in Getting Data In

ESX Syslog - vmkwarning

BlightMan — Tue, 25 Oct 2011 15:56:01 GMT

I've set up Splunk Free to receive syslogs from my ESX hosts. This is all working perfectly. But is there some way to only send the contents of the vmkwarning file? Or can Splunk filter out anything that's not from vmkwarning?

Re: ESX Syslog - vmkwarning

dwaddle — Tue, 25 Oct 2011 18:24:24 GMT

You cannot stop the messages from being sent but you can filter them away once they arrive at Splunk using a rule to route it to the nullQueue. This answers post, http://splunk-base.splunk.com/answers/96/how-do-i-exclude-some-events-from-being-indexed-by-splunk, has details on exactly how to do that.

Re: ESX Syslog - vmkwarning

kdenton — Wed, 26 Oct 2011 15:15:56 GMT

What about installing the universal forwarder on the ESX server and setting up a seperate stanza to monitor that file only.

This would require installing the Splunk Universal Forwarder instead of just setting the syslog daemon on the vmware server to forward to syslog.

-Kevin

Re: ESX Syslog - vmkwarning

dwaddle — Thu, 27 Oct 2011 21:56:47 GMT

this should work on "classical" esx, but I don't think it'd be applicable on esxi. (I could be wrong there though)

Re: ESX Syslog - vmkwarning

lguinn2 — Thu, 27 Oct 2011 22:07:03 GMT

Correct - will NOT work on ESXi, and is NOT a recommended practice for ESX, either. I am not sure it will even work on ESX; the Linux kernel that sits beneath ESX has been heavily modified and may not have the components that Splunk needs. Besides, ESX is not a supported OS for the Splunk forwarder(s), so not a good practice even if it works.

Re: ESX Syslog - vmkwarning

lguinn2 — Thu, 27 Oct 2011 22:22:10 GMT

This is the best solution, as it does not violate any best practices of Splunk or VMware, that I know of, anyway.

FWIW, I don't think that the ESX syslogs are chatty. So it's not a big deal to do the filtering to the null queue on the Splunk indexer.

As a final option, you might install the vMA and use it a a syslog server. I believe that you can use the vMA to control the logging level. And you can probably install a fowarder on the vMA. Look in the VMware manuals, and/or this article
http://www.simonlong.co.uk/blog/2010/05/28/using-vma-as-your-esxi-syslog-server/

Re: ESX Syslog - vmkwarning

BlightMan — Tue, 15 Nov 2011 14:26:34 GMT

I actually found the way to do this just by reviewing the default entries in the ESX hosts' syslog.conf.

Rather than forwarding everything:
{star}.{star} @server.domain.com

I just do this:
local6.warning @server.domain.com

It works perfectly! I hope this is useful for other people.