Hi,
I'm trying to get logs from our vCenter Server 6.0 into our VMware App.
It looks like the TA is using the log structure from the old vCenter 5.x and not the 6.x.
Like described here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=10218...
5.x and 6.x have very different log approaches it seems.
Looking at the props.conf in the Splunk_TA_vcenter, it seems like it is only working for 5.x and not 6.x.
Am I missing a new TA? What am I doing wrong? The VMware app says it supports vCenter Server 6.x.
I'm getting the logs into Splunk when monitoring the directory, but fields won't get properly extracted.
Hi, the new VMware version is out. Did you guys get a chance to check?
update in case you need any further assistance regarding this issue.
Hi, we have upgraded vmware app to 3.4.0 and vmware is on 6.5..
we are forwarding vCenter logs to a HF which has Splunk_TA_vCenter, and we did make sure to change the inputs monitor path accordingly, but the regex in props and transforms is not extracting the sourcetype...
#our custom inputs on HF
inputs.conf
[monitor:///var/log/vmware_hosts/vcenter-*.myorg/messages*]
disabled = 0
sourcetype = vclog
host_segment = 4
index = vmware-vclog
#props and transforms are from Splunk_TA_vCenter
props.conf
[vclog]
SHOULD_LINEMERGE = false
TRANSFORMS-vmwvclogsourcetype = set_vclog_sourcetype
transforms.conf
#Sourcetype Extraction
[set_vclog_sourcetype]
REGEX = ^([a-z\-]+)
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::vmware:vclog:$1
Thanks for the update!
These fixes in 3.3 look very promising:
2016-01-21 VMW-4164 Error in stanza for vCenter 6.0 log location.
2016-03-03 VMW-4193 VMWare vclogs for ESXi 6.0 and 5.5 log location in props.conf and inputs.conf.
Unfortunately I wont be able to upgrade and test our VMware app before the end of september.
I will provide feedback then unless someone gets to test that before me.
Yes, you will need to make it monitor the correct path in inputs.conf (for vCenter server 6.0) and also in props.conf for proper field extraction.
This is a known issue and will be fixed in next release.
Let me know if you need any further details regarding the issue.
I am also waiting for the new version to come out?
Think its a little strange that splunk have not fixed this yet, since vmware 6.0 have been out for a while.
Do anye one know when the new version of splunk app for vmware will be released?
I dont even know where to start. This is not about setting the correct path. It seems to me that vsphere 6.0 has a completely different approach to logging and there are no extracts in props.conf for things like sca.log, cls, sps, eam....
All these logs are getting tagged as seperate sourcetypes in my vmware-vclog index.
To be honest it looks like there is no support for any vsphere 6.0 stuff at all in this TA. Is there an ETA for a version that supports vsphere 6.0?