Re: Adding ESX hosts to an existing Splunk server

mikeyw · ‎10-10-2012

Hi,

I've inherited a splunk server that was setup to receive to vmkwarning files from around 20 ESX hosts.

Recently i built another 5 hosts running ESX5 that i'd like to also get the vmkwarning files sent to the splunk server, what's the best guide to show me how to do this ?

I presume some kind of splunk forwarding agent has to reside on the ESX host ?

Thanks

mikeyw · ‎10-11-2012

Any further thoughts here guys ?

sdaniels · ‎10-10-2012

Yes, you'll need to install a splunk forwarder on the ESX host. Then you'll set up file monitoring. Take a look at one of your existing ESX server forwarders. You should find settings in /etc/system/local/ in outputs.conf and inputs.conf. Outputs will have the settings for communicating back to the Splunk server and inputs.conf has the details of the file being monitored. In this case probably /var/log/vmkwarning.log.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Deploymentoverview

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories

mikeyw · ‎10-10-2012

I've just checked on a couple of ESX hosts that the splunk server is collecting log information from and did a global find for both outputs.conf and inputs.conf, nothing was returned. What is the default location for the splunk forwarders on a ESX node ?

Adding ESX hosts to an existing Splunk server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation