topic Re: Unable to see vmware esxi syslog in splunk in Getting Data In

Unable to see vmware esxi syslog in splunk

meenakande — Wed, 08 Apr 2020 13:36:24 GMT

we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers.
In splunk we have created a index(vmware_log) and created a token for index. but still we are not able to see logs in splunk cloud?

Re: Unable to see vmware esxi syslog in splunk

PavelP — Thu, 09 Apr 2020 04:19:23 GMT

Hello @meenakande ,

please explain your setup and post your configuration.

Re: Unable to see vmware esxi syslog in splunk

DalJeanis — Fri, 10 Apr 2020 23:42:10 GMT

How did you expect to get the logs? Is the HF executing some kind of script or pull?

Re: Unable to see vmware esxi syslog in splunk

meenakande — Sat, 11 Apr 2020 06:47:03 GMT

Setup:
Vmware server name - vmware_esxi01
Heavy Forwarder - bos-syslog01
In vmware server -> config -> Advance system settings -> syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

And followed "Configure ESXi hosts using the vSphere Client" section of below document
https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts

Re: Unable to see vmware esxi syslog in splunk

PavelP — Tue, 14 Apr 2020 18:28:06 GMT

have you specified the port?

syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

after that follow this article to check if the packets are sent: https://kb.vmware.com/s/article/1031186

for example capture 10 packets on the interface vmk0 on the port 1514 and show the payload:

tcpdump-uw -i vmk0 -A -c 10 port 1514