All Apps and Add-ons

Splunk App for VMware 3.2.2: Why am I unable to get logs from vCenter Server 6.0 into the app?

Plotkowski
Path Finder

Hi,

I'm trying to get logs from our vCenter Server 6.0 into our VMware App.
It looks like the TA is using the log structure from the old vCenter 5.x and not the 6.x.

Like described here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10218...
5.x and 6.x have very different log approaches it seems.
Looking at the props.conf in the Splunk_TA_vcenter, it seems like it is only working for 5.x and not 6.x.
Am I missing a new TA? What am I doing wrong? The VMware app says it supports vCenter Server 6.x.

I'm getting the logs into Splunk when monitoring the directory, but fields won't get properly extracted.

0 Karma

trapti_splunk
Splunk Employee
Splunk Employee

Hi, the new VMware version is out. Did you guys get a chance to check?

update in case you need any further assistance regarding this issue.

0 Karma

prakash007
Builder

Hi, we have upgraded vmware app to 3.4.0 and vmware is on 6.5..

we are forwarding vCenter logs to a HF which has Splunk_TA_vCenter, and we did make sure to change the inputs monitor path accordingly, but the regex in props and transforms is not extracting the sourcetype...

#our custom inputs on HF
inputs.conf
[monitor:///var/log/vmware_hosts/vcenter-*.myorg/messages*]
disabled = 0
sourcetype = vclog
host_segment = 4
index = vmware-vclog

#props and transforms are from Splunk_TA_vCenter
props.conf
[vclog]
SHOULD_LINEMERGE = false
TRANSFORMS-vmwvclogsourcetype = set_vclog_sourcetype

transforms.conf
#Sourcetype Extraction
[set_vclog_sourcetype]
REGEX = ^([a-z\-]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:vclog:$1
0 Karma

Plotkowski
Path Finder

Thanks for the update!
These fixes in 3.3 look very promising:

2016-01-21  VMW-4164    Error in stanza for vCenter 6.0 log location.
2016-03-03  VMW-4193    VMWare vclogs for ESXi 6.0 and 5.5 log location in props.conf and inputs.conf.

Unfortunately I wont be able to upgrade and test our VMware app before the end of september.
I will provide feedback then unless someone gets to test that before me.

0 Karma

trapti_splunk
Splunk Employee
Splunk Employee

Yes, you will need to make it monitor the correct path in inputs.conf (for vCenter server 6.0) and also in props.conf for proper field extraction.

This is a known issue and will be fixed in next release.
Let me know if you need any further details regarding the issue.

0 Karma

gaubor
New Member

I am also waiting for the new version to come out?

Think its a little strange that splunk have not fixed this yet, since vmware 6.0 have been out for a while.

Do anye one know when the new version of splunk app for vmware will be released?

0 Karma

Plotkowski
Path Finder

I dont even know where to start. This is not about setting the correct path. It seems to me that vsphere 6.0 has a completely different approach to logging and there are no extracts in props.conf for things like sca.log, cls, sps, eam....
All these logs are getting tagged as seperate sourcetypes in my vmware-vclog index.

To be honest it looks like there is no support for any vsphere 6.0 stuff at all in this TA. Is there an ETA for a version that supports vsphere 6.0?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...