All Apps and Add-ons

How to configure VMWare vCenter logs via syslog to get into splunk?

Path Finder

Not strictly a Splunk question, more  a VMWare vCenter one, but II'm hoping somebody has solved this before me!!!

We're working to get the logs from vCenter into Splunk using syslog, Kiwi and the Splunk Add-on for vCenter Logs.  We've figured out all the components:

  • configured vCenter correctly, using rsyslog.config
  • set Kiwi up to use Native messages, not add a date and time stamp

and we were just about to start the app to fetch the kiwi logs when we found we could not control the severity level in rsyslog. We referred to the help cited - - but this refers to the directive $InputFileSeverity  as being legacy...

Regardless of what we set the parameter $InputFileSeverity to it ignores us and sends everything right up to Debug (Level 7). As that more than doubles the log size for no material benefit, I'd like to tell vCenter not to bother. 

What is the corect syntax of the stanza in rsyslog.conf to set the severity level to Level 6 / Info or lower? 

We tried 

$InputFileSeverity 6

$InputFileSeverity Info

$InputFileSeverity Info,Warning

Labels (2)
0 Karma

Path Finder

In part to respond to my own question: 

- we have been able to get something working by using the default config in vCenter, but only by using for format much closer to the default vCenter config than that recommended by Splunk. 

template(name="RSYSLOG_ForwardFormat1" type="string"

#$WorkDirectory /var/spool/rsyslog


This now means I have to rework the transforms.conf in the Splunk App, so far from ideal. I've got the sourcetype working, with some caeveats, but I suspect that the whole piece about field extractions will now fail. 

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...