All Apps and Add-ons
Highlighted

Splunk Add-on for VMware: How to limit the logs collected by the add-on to just security related logs?

New Member

-We have a remote syslog server that is collecting vcenter and esxi hosts logs.
-On the sylog server the data is broken as followed %HOSTNAME%/%PROGRAMNAME%.log"
-We are able to collect the data using splunktaesxilogs and splunktavcenter app.

The problem is that its collecting too much data, and we only care about security related data. How can I collect the following logs using the Splunk Add-on for VMware plugins? Is that something I need to do in the transforms.conf and props.conf file?

shell.log
auth.log
hostd.log

0 Karma
Highlighted

Re: Splunk Add-on for VMware: How to limit the logs collected by the add-on to just security related logs?

Contributor

If you're collecting too much data, I'd explore maybe tuning down the noise at its source (ie, the boxes themselves) instead of trying to filter everything out with Splunk.

In the case of using the vmware oriented Splunk apps, it appears those apps collect a lot of logs and do a lot of performance and monitoring oriented functions (should you choose to enable them). It sounds like many of these extra monitoring capabilities are enabled. I'm not sure what you're situation is as far as who set this up for you, but you can always go into each of the inputs.conf files in the apps and change the disabled = 0 to disabled = 1, which will disable the monitoring stanzas for that particular log source.

Since it appears you're only interested in collecting shell.log, auth.log, hostd.log, you may explore just adding your own monitoring stanzas for those log locations and disable everything else, like this:

[monitor:///var/log/shell.log]
disabled = 0

[monitor:///var/log/auth.log]
disabled = 0

[monitor:///var/log/hostd.log]
disabled = 0
0 Karma
Highlighted

Re: Splunk Add-on for VMware: How to limit the logs collected by the add-on to just security related logs?

New Member

Thank you for the input, but unfortunately we can not turn down the noise at the source. I believed by default vwmare logs are set to verbose . I will definitely look at the input.conf and see if that help out any.

thanks again!

0 Karma
Highlighted

Re: Splunk Add-on for VMware: How to limit the logs collected by the add-on to just security related logs?

Contributor

Oh well, next best thing is to investigate what you can disable and if you're still getting more noise, I'd look into setting up a nullqueue in your props.conf and tranforms.conf. Happy to help!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.