-We have a remote syslog server that is collecting vcenter and esxi hosts logs.
-On the sylog server the data is broken as followed %HOSTNAME%/%PROGRAMNAME%.log"
-We are able to collect the data using splunktaesxilogs and splunktavcenter app.
The problem is that its collecting too much data, and we only care about security related data. How can I collect the following logs using the Splunk Add-on for VMware plugins? Is that something I need to do in the transforms.conf and props.conf file?
If you're collecting too much data, I'd explore maybe tuning down the noise at its source (ie, the boxes themselves) instead of trying to filter everything out with Splunk.
In the case of using the vmware oriented Splunk apps, it appears those apps collect a lot of logs and do a lot of performance and monitoring oriented functions (should you choose to enable them). It sounds like many of these extra monitoring capabilities are enabled. I'm not sure what you're situation is as far as who set this up for you, but you can always go into each of the inputs.conf files in the apps and change the
disabled = 0 to
disabled = 1, which will disable the monitoring stanzas for that particular log source.
Since it appears you're only interested in collecting shell.log, auth.log, hostd.log, you may explore just adding your own monitoring stanzas for those log locations and disable everything else, like this:
[monitor:///var/log/shell.log] disabled = 0 [monitor:///var/log/auth.log] disabled = 0 [monitor:///var/log/hostd.log] disabled = 0
Thank you for the input, but unfortunately we can not turn down the noise at the source. I believed by default vwmare logs are set to verbose . I will definitely look at the input.conf and see if that help out any.
Oh well, next best thing is to investigate what you can disable and if you're still getting more noise, I'd look into setting up a nullqueue in your props.conf and tranforms.conf. Happy to help!