All Apps and Add-ons

Splunk Add-on for VMware: How to limit the logs collected by the add-on to just security related logs?

rahelee
New Member

-We have a remote syslog server that is collecting vcenter and esxi hosts logs.
-On the sylog server the data is broken as followed %HOSTNAME%/%PROGRAMNAME%.log"
-We are able to collect the data using splunk_ta_esxilogs and splunk_ta_vcenter app.

The problem is that its collecting too much data, and we only care about security related data. How can I collect the following logs using the Splunk Add-on for VMware plugins? Is that something I need to do in the transforms.conf and props.conf file?

shell.log
auth.log
hostd.log

0 Karma

adayton20
Contributor

If you're collecting too much data, I'd explore maybe tuning down the noise at its source (ie, the boxes themselves) instead of trying to filter everything out with Splunk.

In the case of using the vmware oriented Splunk apps, it appears those apps collect a lot of logs and do a lot of performance and monitoring oriented functions (should you choose to enable them). It sounds like many of these extra monitoring capabilities are enabled. I'm not sure what you're situation is as far as who set this up for you, but you can always go into each of the inputs.conf files in the apps and change the disabled = 0 to disabled = 1, which will disable the monitoring stanzas for that particular log source.

Since it appears you're only interested in collecting shell.log, auth.log, hostd.log, you may explore just adding your own monitoring stanzas for those log locations and disable everything else, like this:

[monitor:///var/log/shell.log]
disabled = 0

[monitor:///var/log/auth.log]
disabled = 0

[monitor:///var/log/hostd.log]
disabled = 0
0 Karma

rahelee
New Member

Thank you for the input, but unfortunately we can not turn down the noise at the source. I believed by default vwmare logs are set to verbose . I will definitely look at the input.conf and see if that help out any.

thanks again!

0 Karma

adayton20
Contributor

Oh well, next best thing is to investigate what you can disable and if you're still getting more noise, I'd look into setting up a nullqueue in your props.conf and tranforms.conf. Happy to help!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...