All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure VMWare vCenter logs via syslog to get into splunk?

mooree
Path Finder
‎05-23-2022 02:31 PM

Not strictly a Splunk question, more  a VMWare vCenter one, but II'm hoping somebody has solved this before me!!!

We're working to get the logs from vCenter into Splunk using syslog, Kiwi and the Splunk Add-on for vCenter Logs.  We've figured out all the components:

  • configured vCenter correctly, using rsyslog.config
  • set Kiwi up to use Native messages, not add a date and time stamp

and we were just about to start the app to fetch the kiwi logs when we found we could not control the severity level in rsyslog. We referred to the help cited - https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html - but this refers to the directive $InputFileSeverity  as being legacy...

Regardless of what we set the parameter $InputFileSeverity to it ignores us and sends everything right up to Debug (Level 7). As that more than doubles the log size for no material benefit, I'd like to tell vCenter not to bother. 

What is the corect syntax of the stanza in rsyslog.conf to set the severity level to Level 6 / Info or lower? 

We tried 

$InputFileSeverity 6

$InputFileSeverity Info

$InputFileSeverity Info,Warning

Labels (2)
0 Karma
Reply

mooree
Path Finder
‎05-26-2022 02:05 AM

In part to respond to my own question: 

- we have been able to get something working by using the default config in vCenter, but only by using for format much closer to the default vCenter config than that recommended by Splunk. 

template(name="RSYSLOG_ForwardFormat1" type="string"
     string="<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%")

#$WorkDirectory /var/spool/rsyslog

*.info
@x.x.x.x:514RSYSLOG_ForwardFormat1

This now means I have to rework the transforms.conf in the Splunk App, so far from ideal. I've got the sourcetype working, with some caeveats, but I suspect that the whole piece about field extractions will now fail. 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...