All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure VMWare vCenter logs via syslog to get into splunk?

mooree
Path Finder
‎05-23-2022 02:31 PM

Not strictly a Splunk question, more  a VMWare vCenter one, but II'm hoping somebody has solved this before me!!!

We're working to get the logs from vCenter into Splunk using syslog, Kiwi and the Splunk Add-on for vCenter Logs.  We've figured out all the components:

  • configured vCenter correctly, using rsyslog.config
  • set Kiwi up to use Native messages, not add a date and time stamp

and we were just about to start the app to fetch the kiwi logs when we found we could not control the severity level in rsyslog. We referred to the help cited - https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html - but this refers to the directive $InputFileSeverity  as being legacy...

Regardless of what we set the parameter $InputFileSeverity to it ignores us and sends everything right up to Debug (Level 7). As that more than doubles the log size for no material benefit, I'd like to tell vCenter not to bother. 

What is the corect syntax of the stanza in rsyslog.conf to set the severity level to Level 6 / Info or lower? 

We tried 

$InputFileSeverity 6

$InputFileSeverity Info

$InputFileSeverity Info,Warning

Labels (2)
0 Karma
Reply

mooree
Path Finder
‎05-26-2022 02:05 AM

In part to respond to my own question: 

- we have been able to get something working by using the default config in vCenter, but only by using for format much closer to the default vCenter config than that recommended by Splunk. 

template(name="RSYSLOG_ForwardFormat1" type="string"
     string="<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%")

#$WorkDirectory /var/spool/rsyslog

*.info
@x.x.x.x:514RSYSLOG_ForwardFormat1

This now means I have to rework the transforms.conf in the Splunk App, so far from ideal. I've got the sourcetype working, with some caeveats, but I suspect that the whole piece about field extractions will now fail. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...