Getting Data In

Getting syslog events from VMware ESXi: Why can't I see all events?

TheExpert
Path Finder

Hi all,

I want to get the syslog events of my VMware ESXi hosts (free hypervisor) in my splunk Enterprise (free edition).

I set up the ESXi hosts and installed the "Add-on for VMware ESXi Logs" (Splunk_TA_esxilogs 4.2.1). When I do a search with the IP address of a host, I only see events with the sourcetype "vmware:esxlog:Rhttpproxy". I'm not filtering the search with this sourcetype. And these events aren't the same I see in the syslog file of the ESXi hosts.

When only searching for "vmware" I see more sourcetypes:

TheExpert_0-1645710296777.png

But again, I don't see all events. The sourcetype "syslog" is binded to my Sophos UTM firewall.

I want to get the events of smartd of the ESXi hosts for seeing if my SATA drives are OK. In the syslog file on the ESXi host there are events but I don't see them in splunk.

Any ideas, how to see the events of the syslog file of the ESXi hosts in splunk?

Thank You and kind Regards.

Labels (1)
Tags (2)
0 Karma

justynap_ldz
Path Finder

Hi @TheExpert,
Have you solved your issue? If not, what are you local inputs.conf,  props.conf and transforms.conf?

0 Karma

TheExpert
Path Finder

Hi @justynap_ldz,

no I wasn't able to solve it with Splunk. I never changed something in the .conf files you mentioned.

But I had to stop sending the syslogs of the VMware ESXi hosts to Splunk because the free amount about 500 MB per day was overloaded by the VMware log data. I also use Splunk for the logs of my Sophos UTM to have a better tool for troubleshooting firewall and proxy issues. So there's not enough free space for the VMware syslogs.

And i found an alternative way by using VMware PowerCLI to get the SMART data from the ESXi hosts. With a PowerShell script I can read all SMART data and send a warning mail when there are issues. Í even can read data that isn't shown in the syslog of the ESXi hosts.

Kind Regards

0 Karma

TheExpert
Path Finder

Hi all,

in the meantime I can see lot more sourcetypes of VMware ESXi events in Splunk but I still can't find SMART information which I can see in the ESXi syslog file on the hosts itself.

Kind Regards.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...