Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get VMware Per VM Log files into Splunk (vmware.log)?

steubens
New Member
‎06-08-2015 10:21 AM

Hi, can anyone tell us how to get "Per VM" log files into splunk. We already have esx syslog outs going to splunk as well as the vcenter log collector... but what I want to see in splunk for troubleshooting, is the contents of the log files that are produced by each VM inside its VMFS folder as it runs... the log file is called "vmware.log" and is rolled off to subsequent vmwware-n.log files every so often by the esx server. If w can get the live contents of vmware.log streaming into splunk just like syslog does for the host, that would be AWESOME!

thanks in advance.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎06-09-2015 10:18 PM

If only there was a Splunk forwarder for ESXi! (Which VMware is unlikely to ever allow.) As sk314 suggests, you could use the API. It's not trivial, but you may be able to find some tutorials, etc. on the Internet.

Also, http://www.vmware.com/products/esxi-and-esx/management.html says "vSphere exposes logs from all system components using industry-standard syslog format, with the ability to send logs to a central logging server." However, the ESXi syslog only captures ESXi-level events. It looks like you are already doing this.

But this may work to add the vmware.log info to the ESXi syslog:

For each VM, edit the .vmx file setting as follows

vmx.log.destination = "syslog-and-disk"
Or do it via the advanced settings for a VM in the vSphere client. This should keep the normal vmware.log, but also write the events to the ESXi syslog.

Finally, you might want to take a look at Splunk's VMware app, but the app might be overkill if this is all that you want to do...

0 Karma
Reply

splunkreal
Motivator
‎06-11-2020 12:33 AM

This works:

 

https://docs.splunk.com/Documentation/AddOns/released/VMW/VMwareAPI

 

    Navigate to your virtual machine vmx file.

 

    -> Add vmx.log.destination = "syslog-and-disk" to your virtual machine vmx file.

    -> Name your vm log entry. (Example:vmx.log.syslogID = vmx[splunkdata])

 

    Check the log entry in /var/log/syslog of your ESXi host to verify the syslog is being forwarded.

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

sk314
Builder
‎06-09-2015 01:19 PM

You could try using the vSphere SDK for this?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...