All Apps and Add-ons

VMware Syslog

SplunkFu
Path Finder

Hi there,

We are just doing some internal capacity predictions on our deployment, and was wondering if there were any guidelines with the estimating the VMware ESX/i syslog volumes? - Yes I know this is ambiguous, but I was checking whether someone has seen any trends in their environment.

Additionally what value have people seen in the syslog, i.e. what are they getting out of the logs.

We are also looking at the Splunk VMware app, but it may be a bit over our license expectations, based on the guidelines provided.

Thanks.

0 Karma
1 Solution

bbingham
Builder

The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.

The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.

The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.

View solution in original post

bbingham
Builder

The logs being produced from vmware are some of the biggest consumers of splunk license we have today. Currently the vmware app pulls the log data from the web services api, so if you're already capturing it in syslog, you don't need to capture it again.

The engine for collecting data is very configurable and you have the option to shut off log collection. Basically, collect only the items you feel you'll want to use in the app. If you turn off those pieces of datacollection, the dashboards simply won't populate.

The value of the logs really come into play when troubleshooting esx host based issues. They can list things like flapping network devices or disconnected datastores.

bbingham
Builder

Currently the app will collect the logs without syslog being enabled on the ESX hosts. Log data is collected through an API that vmware exposes. This log data would be an exact duplicate of the syslog data.

0 Karma

SplunkFu
Path Finder

sorry to clarify, are you saying that you collect syslog, or through the app deployment?

0 Karma

SplunkFu
Path Finder

That's great thanks, do you have it configured from each ESX host, or vCenter (may be wrong here, but I think I saw that you do this for aggregated results)? Also may I ask what volumes you typically see?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...