Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting syslog events from VMware ESXi: Why can't I see all events?

TheExpert
Path Finder
‎02-24-2022 05:39 AM

Hi all,

I want to get the syslog events of my VMware ESXi hosts (free hypervisor) in my splunk Enterprise (free edition).

I set up the ESXi hosts and installed the "Add-on for VMware ESXi Logs" (Splunk_TA_esxilogs 4.2.1). When I do a search with the IP address of a host, I only see events with the sourcetype "vmware:esxlog:Rhttpproxy". I'm not filtering the search with this sourcetype. And these events aren't the same I see in the syslog file of the ESXi hosts.

When only searching for "vmware" I see more sourcetypes:

TheExpert_0-1645710296777.png

But again, I don't see all events. The sourcetype "syslog" is binded to my Sophos UTM firewall.

I want to get the events of smartd of the ESXi hosts for seeing if my SATA drives are OK. In the syslog file on the ESXi host there are events but I don't see them in splunk.

Any ideas, how to see the events of the syslog file of the ESXi hosts in splunk?

Thank You and kind Regards.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

justynap_ldz
Path Finder
‎03-25-2022 01:38 AM

Hi @TheExpert,
Have you solved your issue? If not, what are you local inputs.conf,  props.conf and transforms.conf?

0 Karma
Reply

TheExpert
Path Finder
‎03-25-2022 08:39 AM

Hi @justynap_ldz,

no I wasn't able to solve it with Splunk. I never changed something in the .conf files you mentioned.

But I had to stop sending the syslogs of the VMware ESXi hosts to Splunk because the free amount about 500 MB per day was overloaded by the VMware log data. I also use Splunk for the logs of my Sophos UTM to have a better tool for troubleshooting firewall and proxy issues. So there's not enough free space for the VMware syslogs.

And i found an alternative way by using VMware PowerCLI to get the SMART data from the ESXi hosts. With a PowerShell script I can read all SMART data and send a warning mail when there are issues. Í even can read data that isn't shown in the syslog of the ESXi hosts.

Kind Regards

0 Karma
Reply

TheExpert
Path Finder
‎03-03-2022 10:24 PM

Hi all,

in the meantime I can see lot more sourcetypes of VMware ESXi events in Splunk but I still can't find SMART information which I can see in the ESXi syslog file on the hosts itself.

Kind Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top