Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to set alarms from vCenter with HEC token?

olivera
Explorer
‎01-24-2023 03:25 AM

I want to monitor my all hosts, esxi's, etc in my vCenter environment. I am working in a distributed environment and I want to send all alarms (for errors) and all data that can help me to ensure that the health of my vcenter environment is good.

Can someone please help and send me the steps in order to do that? It will be helpful to also add tutorials or  documentation for each part.

(I don't know for example in what component to enable the HEC token or how to use API to send the alarms from vCenter to my Splunk)

Labels (3)
0 Karma
Reply

gballanti
Explorer
‎01-25-2023 04:29 AM

Hello,

to send syslog from vcenter to Splunk (in this case):

1. open the the vcenter service appliance (https://vcenter-ip:5480) log with root or admin account
2. in Syslog section add the receiver: IP, protocol, port (check if it works with "Send test message")

The receiver could be a machine with UF or HF where you configured a syslog service (rsyslog or syslog-ng) so you adhere to the splunk best practices (use file instead of network connection).

As i remember the next step is setting the level of log from General in vsphere environment.

I'm not really sure cause not an expert in VMware, if you need the Alerts they can be sent with SNMP Traps.

Have you had a look to splunkbase as well?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 03:47 AM

Why did you choose HEC and not any other means of generating events? (like syslog, for example).

 

0 Karma
Reply

olivera
Explorer
‎01-24-2023 04:09 AM

I am now considering all options.  Can you explain more about the syslog solution and how to do it?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 04:22 AM

OK. If it works in vCenter the same as described in here https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.monitoring.doc/GUID-8F833B44-E675-4...

You're limited to email/SNMP traps out of the box. (SNMP should be processable with SC4SNMP - https://splunk.github.io/splunk-connect-for-snmp/main/)

Other than that you have to create some script on your own - you might send a simple syslog message, you might indeed POST an event via HEC. Syslog is proably easier to set up on the source side but has its limitations, especially if sent over UDP.

0 Karma
Reply

olivera
Explorer
‎01-24-2023 05:51 AM

Can you please tell me the basic steps for how to do it? I feel lost in the documentation  😞

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 08:17 AM

SC4SNMP? Have no idea. Never used it before.

Other methods require creating an input on Splunk's side (which is relatively well described in several places in Splunk docs - for example here https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/UsetheHTTPEventCollector in case of HEC or here https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports in case of "syslog" inputs. But it would also require some scripting on vcenter side and here I can't help you.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...