Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ESXi and vSphere logs

token2
Path Finder
‎05-16-2025 09:09 AM

Hello all,

I am reviewing the Splunk add-on for vCenter Log and the Splunk add-on for VMware ESXi logs guides and have the following question:  Are both required in an environment where vCenter is present, or is the Splunk add-on for VMware ESXi logs not necessary if so?

Or in other words, is the add-on for VMware ESXi just for simple bare metal installs that do not use vCenter?  Are ESXi builds with vCenter sending all of the ESXi logs up to vCenter anyhow and one needs only use the add-on for vCenter?

 

Second question, am I reading correctly that the add-on for vCenter requires BOTH a syslog output and a vCenter user account for API access?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎05-16-2025 03:24 PM

Hi @token2 

I disagree with some of the information in the markdown posted on the other post, specifically around the API usage (" Gathers performance data through the vCenter API") - This is not correct, neither of the apps mentioned connect to the API, the vCenter app uses syslog+monitor inputs (file monitoring) to pick up events, the ESXi app is purely syslog.

The Splunk_TA_vcenter (Splunk Add-on for vCenter Log) should be installed on a Splunk Universal Forwarder running on the vCenter Server host, so it can monitor vCenter log files directly from the filesystem. This takes vCenter logs only, which last time I checked didnt seem to have the individual ESXi logs.

The Splunk Add-on for VMware ESXi Logs should be installed on a Splunk forwarder or heavy forwarder that is receiving syslog data from the ESXi hosts, if you install this on the same host as the vCenter app then ensure you use a unique syslog port for this so the sourcetype field extractions can work correctly.

If you want performance info/metrics etc then you need "Splunk Add-on for VMware Metrics":
The Splunk Add-on for VMware Metrics is a collection of add-ons used to collect and transform the Performance, Inventory, Tasks, and Events data from VMware vCenters, ESXi hosts, and virtual machines. The Splunk Add-on for VMware Metrics contains the following components: Splunk_TA_vmware_inframon - Runs a Python-based API data collection engine, collects data from VMware vSphere environment, and performs field extractions for VMware data. SA-Hydra-inframon.

Depending on your usecase you might prefer to use all, or a specific subset, of the many VMware apps available! Please let me know if you want further clarity on any of these and feel free to share your usecases so we can help refine which apps might benefit you.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

asimit
Path Finder
‎05-16-2025 12:39 PM

Hi @token2,

To answer your questions about the VMware add-ons:

## Do You Need Both Add-ons?

No, you don't necessarily need both add-ons in an environment with vCenter, but using both provides more complete visibility. Here's why:

1. Splunk Add-on for vCenter:
a. Collects vCenter-specific logs and metrics
b. Gathers performance data through the vCenter API
c. Collects vCenter Server events, tasks, and alarms
d. Can collect some forwarded ESXi logs that vCenter has received (if configured to do so)

2. Splunk Add-on for VMware ESXi:
a. Collects ESXi host-specific logs directly from each host
b. Captures detailed host-level events that may not all be forwarded to vCenter
c. Provides more granular host-level monitoring
d. Essential for troubleshooting host-specific issues

While vCenter does collect many ESXi logs, it doesn't necessarily collect everything. Some detailed ESXi logs remain local to the hosts and aren't forwarded to vCenter, especially debug-level logs and certain system events. Collecting directly from ESXi hosts gives you more complete visibility.

## Collection Methods for vCenter Add-on

Yes, the Splunk Add-on for vCenter typically utilizes both collection methods:

1. Syslog collection:
a. For operational logs and events from vCenter
b. Requires configuring vCenter to forward logs via syslog

2. API access:
a. For performance metrics, inventory, and task/event data
b. Requires a vCenter user account with appropriate permissions
c. Uses REST API calls to gather data

This dual-collection approach gives you both operational logs and rich performance/configuration data.

## Recommended Setup

For a complete VMware monitoring solution with vCenter:

1. If complete visibility is important:
a. Install both add-ons
b. Configure syslog from both vCenter and all ESXi hosts
c. Set up API collection from vCenter

2. If you have resource constraints or simpler needs:
a. Install the vCenter add-on only
b. Ensure vCenter is configured to collect as many ESXi logs as possible
c. You'll miss some host-specific details but will have good overall visibility

3. If you have a very large environment:
a. Install both add-ons
b. Consider selective monitoring of critical ESXi hosts only
c. Use the vCenter add-on for broad monitoring and the ESXi add-on for deep dive into important hosts

The biggest advantage of using both add-ons is the additional context and detail you get from direct ESXi host monitoring, especially valuable for troubleshooting host-specific issues that might not be fully visible through vCenter alone.

Hope this helps clarify your VMware monitoring options in Splunk!

Please give 👍 for support 😁 happly splunking .... 😎

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Index This | How many sevens are there between 1 and 100?

August 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...