All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

VMware Syslog

SplunkFu
Path Finder
‎02-21-2013 09:02 AM

Hi there,

We are just doing some internal capacity predictions on our deployment, and was wondering if there were any guidelines with the estimating the VMware ESX/i syslog volumes? - Yes I know this is ambiguous, but I was checking whether someone has seen any trends in their environment.

Additionally what value have people seen in the syslog, i.e. what are they getting out of the logs.

We are also looking at the Splunk VMware app, but it may be a bit over our license expectations, based on the guidelines provided.

Thanks.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bbingham
Builder
‎02-21-2013 09:20 AM

The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.

The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.

The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.

View solution in original post

Reply
Solved! Jump to solution
Solution

bbingham
Builder
‎02-21-2013 09:20 AM

The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.

The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.

The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.

Reply
Solved! Jump to solution

bbingham
Builder
‎02-21-2013 09:41 AM

Currently the app will collect the logs without syslog being enabled on the ESX hosts. Log data is collected through an API that vmware exposes. This log data would be an exact duplicate of the syslog data.

0 Karma
Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎02-21-2013 09:26 AM

sorry to clarify, are you saying that you collect syslog, or through the app deployment?

0 Karma
Reply
Solved! Jump to solution

SplunkFu
Path Finder
‎02-21-2013 09:24 AM

That's great thanks, do you have it configured from each ESX host, or vCenter (may be wrong here, but I think I saw that you do this for aggregated results)? Also may I ask what volumes you typically see?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...