Somewhat.

I am already familiar with the universal forwarder. In this case, it's very specific. We need to have NSX-T use TLS to send its logs to Splunk. And yes, I have been researching and reading individual blogs and sites.

Very respectfully,

James

Syslog-ng can be configured to accept syslog over TLS.  See https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-....  Once the data has been received and saved on the syslog server, a UF can be used to forward the data to Splunk over a TLS-protected session.  See https://docs.splunk.com/Documentation/Splunk/9.0.2/Security/AboutsecuringyourSplunkconfigurationwith...

Hi

there seems to be a NSX-T app which maybe can use for ingesting data in and show it. See https://splunkbase.splunk.com/app/4241. What I don't like it, is that it use separate IP listener on Splunk node to get data in. Must better way is to use separate syslog server for it. I haven't check if you can also use Splunk Add-on for VMware https://splunkbase.splunk.com/app/3215.

r. Ismo

We will be using the Splunk add-on from VMWare.

I am just trying to wrap my head around the certs to do this. I understand from the VMWare pages what our guys have to do at the command line to enable the TLS protocol and what certs to send. (As well as what logging will be sent.)

I know from the Splunk notes that the three certs to be sent will be combined on the Splunk side and in what order they need to be done. I am just still a little confused as to how on the Splunk side, the VMWare add-on will be using that combined cert.

Very respectfully,

James

Hey there.

I do appreciate the reply. As I said, we need to have the NSX-T use TLS to forward the logs to Splunk.

Very respectfully,

James

Hi there,

I have been given the task to forward NSX-T logs to Splunk server. 

Can u please share the steps/ procedure that u followed to configure the same.