Getting Data In

How to set alarms from vCenter with HEC token?

olivera
Explorer

I want to monitor my all hosts, esxi's, etc in my vCenter environment. I am working in a distributed environment and I want to send all alarms (for errors) and all data that can help me to ensure that the health of my vcenter environment is good.

Can someone please help and send me the steps in order to do that? It will be helpful to also add tutorials or  documentation for each part.

(I don't know for example in what component to enable the HEC token or how to use API to send the alarms from vCenter to my Splunk)

Labels (3)
0 Karma

gballanti
Explorer

Hello,

to send syslog from vcenter to Splunk (in this case):

1. open the the vcenter service appliance (https://vcenter-ip:5480) log with root or admin account
2. in Syslog section add the receiver: IP, protocol, port (check if it works with "Send test message")

The receiver could be a machine with UF or HF where you configured a syslog service (rsyslog or syslog-ng) so you adhere to the splunk best practices (use file instead of network connection).

As i remember the next step is setting the level of log from General in vsphere environment.

I'm not really sure cause not an expert in VMware, if you need the Alerts they can be sent with SNMP Traps.

Have you had a look to splunkbase as well?

 

0 Karma

PickleRick
Ultra Champion

Why did you choose HEC and not any other means of generating events? (like syslog, for example).

 

0 Karma

olivera
Explorer

I am now considering all options.  Can you explain more about the syslog solution and how to do it?

0 Karma

PickleRick
Ultra Champion

OK. If it works in vCenter the same as described in here https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.monitoring.doc/GUID-8F833B44-E675-4...

You're limited to email/SNMP traps out of the box. (SNMP should be processable with SC4SNMP - https://splunk.github.io/splunk-connect-for-snmp/main/)

Other than that you have to create some script on your own - you might send a simple syslog message, you might indeed POST an event via HEC. Syslog is proably easier to set up on the source side but has its limitations, especially if sent over UDP.

0 Karma

olivera
Explorer

Can you please tell me the basic steps for how to do it? I feel lost in the documentation  😞

0 Karma

PickleRick
Ultra Champion

SC4SNMP? Have no idea. Never used it before.

Other methods require creating an input on Splunk's side (which is relatively well described in several places in Splunk docs - for example here https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/UsetheHTTPEventCollector in case of HEC or here https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports in case of "syslog" inputs. But it would also require some scripting on vcenter side and here I can't help you.

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...