Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to set alarms from vCenter with HEC token?

olivera
Explorer
‎01-24-2023 03:25 AM

I want to monitor my all hosts, esxi's, etc in my vCenter environment. I am working in a distributed environment and I want to send all alarms (for errors) and all data that can help me to ensure that the health of my vcenter environment is good.

Can someone please help and send me the steps in order to do that? It will be helpful to also add tutorials or  documentation for each part.

(I don't know for example in what component to enable the HEC token or how to use API to send the alarms from vCenter to my Splunk)

Labels (3)
0 Karma
Reply

gballanti
Explorer
‎01-25-2023 04:29 AM

Hello,

to send syslog from vcenter to Splunk (in this case):

1. open the the vcenter service appliance (https://vcenter-ip:5480) log with root or admin account
2. in Syslog section add the receiver: IP, protocol, port (check if it works with "Send test message")

The receiver could be a machine with UF or HF where you configured a syslog service (rsyslog or syslog-ng) so you adhere to the splunk best practices (use file instead of network connection).

As i remember the next step is setting the level of log from General in vsphere environment.

I'm not really sure cause not an expert in VMware, if you need the Alerts they can be sent with SNMP Traps.

Have you had a look to splunkbase as well?

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 03:47 AM

Why did you choose HEC and not any other means of generating events? (like syslog, for example).

 

0 Karma
Reply

olivera
Explorer
‎01-24-2023 04:09 AM

I am now considering all options.  Can you explain more about the syslog solution and how to do it?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 04:22 AM

OK. If it works in vCenter the same as described in here https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.monitoring.doc/GUID-8F833B44-E675-4...

You're limited to email/SNMP traps out of the box. (SNMP should be processable with SC4SNMP - https://splunk.github.io/splunk-connect-for-snmp/main/)

Other than that you have to create some script on your own - you might send a simple syslog message, you might indeed POST an event via HEC. Syslog is proably easier to set up on the source side but has its limitations, especially if sent over UDP.

0 Karma
Reply

olivera
Explorer
‎01-24-2023 05:51 AM

Can you please tell me the basic steps for how to do it? I feel lost in the documentation  😞

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2023 08:17 AM

SC4SNMP? Have no idea. Never used it before.

Other methods require creating an input on Splunk's side (which is relatively well described in several places in Splunk docs - for example here https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/UsetheHTTPEventCollector in case of HEC or here https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports in case of "syslog" inputs. But it would also require some scripting on vcenter side and here I can't help you.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...