All Apps and Add-ons

How to configure VMWare vCenter logs via syslog to get into splunk?

mooree
Path Finder

Not strictly a Splunk question, more  a VMWare vCenter one, but II'm hoping somebody has solved this before me!!!

We're working to get the logs from vCenter into Splunk using syslog, Kiwi and the Splunk Add-on for vCenter Logs.  We've figured out all the components:

  • configured vCenter correctly, using rsyslog.config
  • set Kiwi up to use Native messages, not add a date and time stamp

and we were just about to start the app to fetch the kiwi logs when we found we could not control the severity level in rsyslog. We referred to the help cited - https://www.rsyslog.com/doc/v8-stable/configuration/modules/imfile.html - but this refers to the directive $InputFileSeverity  as being legacy...

Regardless of what we set the parameter $InputFileSeverity to it ignores us and sends everything right up to Debug (Level 7). As that more than doubles the log size for no material benefit, I'd like to tell vCenter not to bother. 

What is the corect syntax of the stanza in rsyslog.conf to set the severity level to Level 6 / Info or lower? 

We tried 

$InputFileSeverity 6

$InputFileSeverity Info

$InputFileSeverity Info,Warning

Labels (2)
0 Karma

mooree
Path Finder

In part to respond to my own question: 

- we have been able to get something working by using the default config in vCenter, but only by using for format much closer to the default vCenter config than that recommended by Splunk. 

template(name="RSYSLOG_ForwardFormat1" type="string"
     string="<%PRI%>%syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%")

#$WorkDirectory /var/spool/rsyslog

*.info
@x.x.x.x:514RSYSLOG_ForwardFormat1

This now means I have to rework the transforms.conf in the Splunk App, so far from ideal. I've got the sourcetype working, with some caeveats, but I suspect that the whole piece about field extractions will now fail. 

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...