Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: VMware Syslog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
We are just doing some internal capacity predictions on our deployment, and was wondering if there were any guidelines with the estimating the VMware ESX/i syslog volumes? - Yes I know this is ambiguous, but I was checking whether someone has seen any trends in their environment.
Additionally what value have people seen in the syslog, i.e. what are they getting out of the logs.
We are also looking at the Splunk VMware app, but it may be a bit over our license expectations, based on the guidelines provided.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.
The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.
The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.
The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.
The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently the app will collect the logs without syslog being enabled on the ESX hosts. Log data is collected through an API that vmware exposes. This log data would be an exact duplicate of the syslog data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sorry to clarify, are you saying that you collect syslog, or through the app deployment?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's great thanks, do you have it configured from each ESX host, or vCenter (may be wrong here, but I think I saw that you do this for aggregated results)? Also may I ask what volumes you typically see?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
