All Apps and Add-ons

VMware Syslog

SplunkFu
Path Finder

Hi there,

We are just doing some internal capacity predictions on our deployment, and was wondering if there were any guidelines with the estimating the VMware ESX/i syslog volumes? - Yes I know this is ambiguous, but I was checking whether someone has seen any trends in their environment.

Additionally what value have people seen in the syslog, i.e. what are they getting out of the logs.

We are also looking at the Splunk VMware app, but it may be a bit over our license expectations, based on the guidelines provided.

Thanks.

0 Karma
1 Solution

bbingham
Builder

The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.

The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.

The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.

View solution in original post

bbingham
Builder

The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.

The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.

The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.

bbingham
Builder

Currently the app will collect the logs without syslog being enabled on the ESX hosts. Log data is collected through an API that vmware exposes. This log data would be an exact duplicate of the syslog data.

0 Karma

SplunkFu
Path Finder

sorry to clarify, are you saying that you collect syslog, or through the app deployment?

0 Karma

SplunkFu
Path Finder

That's great thanks, do you have it configured from each ESX host, or vCenter (may be wrong here, but I think I saw that you do this for aggregated results)? Also may I ask what volumes you typically see?

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...