All Apps and Add-ons

How to send ESX logs via Splunk heavy forwarder in a Windows environment?

Builder

We have Splunk components (1 S.H + 1 IND + 2 H.F) installed in windows environment.

I would like to configure ESX host to send logs to Splunk Heavy Forwarder and be able to Search data through S.H.

However, Splunk App for VMware works on Splunk platform instances deployed in a *nix environment. Windows is not a supported operating system for this app.

Can someone please provide a solution on this ?

Thanks in advance.

0 Karma

Explorer

If you are only looking to get the ESXi logs and not VCenter performance data, you can enable your ESXi servers to syslog to your Heavy Forwarder.

Unfortunately, you have to enable this per ESXi host but you can have your VMware admin set them to syslog to multiple locations and your Heavy Forwarder IP can be one of them.

We have our ESXi servers forwarding to a syslog server and then to splunk but a heavy forwarder will work as well.

On your Heavy Forwarder, create a UDP input on the syslog port (514) and it should listen for the data.

Builder

Hi @pcombs001, thanks for your reply. I will try doing that.

0 Karma

Builder

So, I followed your advice and created udp port 514 for ESX logs.

I configured everything exactly through instructions give in this link.
https://wiki.splunk.com/Community:VMwareESXSyslog
But, I am still not getting any logs.

Another question, since I cant use Splunk for Vmware app in my scenario. Is there any Vmware app for Splunk in Windows environment ?

0 Karma

Explorer

Hi,
I reviewed the steps in that link you provided but we did not make our changes from the CLI. We made use of the VCenter GUI to add the IP address of the splunk server to the list of syslog destinations. When we tried it with the hostname as mentioned in the post, it did not resolve. I believe we did a restart of the ESX server as well.

In addition, is there something blocking the ESX server data from reaching the Splunk server? Any firewall in the way? Are you able to confirm that the ESX server can syslog to another location to make sure that is working in general?

Regarding your VMware app question. We do not make much use of the app itself to report on our VM data. We have developed our own dashboards and summary indexes from the data coming in from the DCNs and syslog.

Hope this helps.

0 Karma

Splunk Employee
Splunk Employee

If you want to get the full collection of VMware metrics, and not just the logs - you will want to leverage the OVA image that Splunk provides to get you the required Linux based components. That is because the components that work to collect that info (Scheduler and Data Collection Node) only run on Linux. See: http://docs.splunk.com/Documentation/AddOns/released/VMW/Hardwareandsoftwarerequirements for more details

If you just want the ESXi logs, then the full blown add-on may not be required, and you can probably just get away with the Splunk_TA_esxilogs , from the add-on.