Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting syslog events from VMware ESXi: Why can't I see all events?

TheExpert
Path Finder
‎02-24-2022 05:39 AM

Hi all,

I want to get the syslog events of my VMware ESXi hosts (free hypervisor) in my splunk Enterprise (free edition).

I set up the ESXi hosts and installed the "Add-on for VMware ESXi Logs" (Splunk_TA_esxilogs 4.2.1). When I do a search with the IP address of a host, I only see events with the sourcetype "vmware:esxlog:Rhttpproxy". I'm not filtering the search with this sourcetype. And these events aren't the same I see in the syslog file of the ESXi hosts.

When only searching for "vmware" I see more sourcetypes:

TheExpert_0-1645710296777.png

But again, I don't see all events. The sourcetype "syslog" is binded to my Sophos UTM firewall.

I want to get the events of smartd of the ESXi hosts for seeing if my SATA drives are OK. In the syslog file on the ESXi host there are events but I don't see them in splunk.

Any ideas, how to see the events of the syslog file of the ESXi hosts in splunk?

Thank You and kind Regards.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

justynap_ldz
Path Finder
‎03-25-2022 01:38 AM

Hi @TheExpert,
Have you solved your issue? If not, what are you local inputs.conf,  props.conf and transforms.conf?

0 Karma
Reply

TheExpert
Path Finder
‎03-25-2022 08:39 AM

Hi @justynap_ldz,

no I wasn't able to solve it with Splunk. I never changed something in the .conf files you mentioned.

But I had to stop sending the syslogs of the VMware ESXi hosts to Splunk because the free amount about 500 MB per day was overloaded by the VMware log data. I also use Splunk for the logs of my Sophos UTM to have a better tool for troubleshooting firewall and proxy issues. So there's not enough free space for the VMware syslogs.

And i found an alternative way by using VMware PowerCLI to get the SMART data from the ESXi hosts. With a PowerShell script I can read all SMART data and send a warning mail when there are issues. Í even can read data that isn't shown in the syslog of the ESXi hosts.

Kind Regards

0 Karma
Reply

TheExpert
Path Finder
‎03-03-2022 10:24 PM

Hi all,

in the meantime I can see lot more sourcetypes of VMware ESXi events in Splunk but I still can't find SMART information which I can see in the ESXi syslog file on the hosts itself.

Kind Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...