All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to ingest data from VMWare ESXI host

maheshnc
Path Finder
4 weeks ago

I want to know what are the ways to ingest the data from ESXI host in Splunk. 

Labels (1)
Labels
0 Karma
Reply

vjdev
Explorer
3 weeks ago

Hello maheshnc,

If you use HF to receive syslog, it will receive the log, process it, and store it in the indexers. It wouldn't store in HF. 

To archive it,

  • Settings → Data Inputs.
  • Find the TCP and/or UDP input options under Network data.
  • Add new for TCP or UDP.
  • Choose the port you want to use.
  • Assign a sourcetype.
  • Choose or define the index.
  • Optionally set host settings.


Else, if you want to use UF, set up syslog-ng and store the logs in files and read them using UF by setting up inputs.conf.

Difference:

UF does not do full parsing, routing based on event content. Transformation/filters that require deep processing. It usually has minimal functionality.It is a lightweight component.

HF is a full Splunk Enterprise install that is used as a forwarder. Indexing is typically disabled (or you configure it so it doesn’t index locally) when being used as HF. It can parse, filter, route, transform and mask/anonymize events before forwarding.

Thank you!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Whilst this is possible, I would recommend looking at SC4S or syslog-ng approaches first. 

"Splunk recommends the SC4S containerized solution for all customers who are able to adopt it"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
4 weeks ago

Hello @maheshnc You can have look at this document and add-on  : https://docs.splunk.com/Documentation/AddOns/released/VMWesxilogs/Install 

0 Karma
Reply

maheshnc
Path Finder
4 weeks ago

Thanks for your inputs. Could you please explain If I can setup my Heavy Forwarder to receive the syslog (instead of syslog ng server with UF installed on it)? if yes, how can I setup my HF to receive the syslog and where will the syslog be stored on HF? also, what will be the difference between using a using a UF and a HF to collect the syslog data.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @maheshnc  you "can", but I really would not recommend it. 

Check out https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-...for validated archiectures for ingesting syslog into Splunk.

I would recommend looking at SC4S (https://splunk.github.io/splunk-connect-for-syslog/2.30.1/sources/vendor/VMWare/vsphere/) or Rsyslog or Syslog NG combined with Universal Forwarder (UF)/Heavy Forwarder (HF) for your usecase.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Building Momentum: Splunk Developer Program at .conf25

At Splunk, developers are at the heart of innovation. That’s why this year at .conf25, we officially launched ...