I've read a few threads about this but am not finding the answer to my specific issue so am posting here.
My vCenter (VCSA) and all ESXi hosts are currently outputting Syslog to a Kiwi Syslog server which is writing the stream out to a folder set split by host.
I've downloaded the Splunk Add-in for VMware placed the Splunk_TA_vcenter and Splunk_TA_esxilogs in the /etc/apps folder of the Kiwi servers UF directory.
Under Splunk_TA_vcenter I have created a /local/inputs.conf and set up a [monitor] stanza to monitor the folder the ESXi logs are being written to. This was modified from an example in the default folder...
disabled = 0
index = vmware_syslog
sourcetype = syslog
If I look at the data in Splunk, the 'host' field is wrong as it appears to relate to the Syslog level i.e. "User.Info". I can correct this by adding a 'host' field to the monitor stanza, but I'm not sure if this is the best way?
Also, I'm not sure if the sourcetype is correct as the example in copied from the default folder specifies a sourcetype of cvlog. Should I be using that or syslog?
In addition to the above, the log format in Kiwi is set to Kiwi format ISO yyyy-mm-dd (Tab delimited). I can't see any documentation that recommends a specific format for use with Splunk so have just used this as the default.
In terms of the Splunk_TA_esxilogs inputs, the only example assumes a TCP or UDP stream. Am I able to just set up a monitor stanza as before? I'm thinking now that the Kiwi log format is quite important as it will differ from a direct TCP stream if is adding bits to the file.
My goal at this stage is just to have data correctly ingested into Splunk but I'm not sure I've achieved this yet.