Getting Data In

How to set alarms from vCenter with HEC token?

olivera
Explorer

I want to monitor my all hosts, esxi's, etc in my vCenter environment. I am working in a distributed environment and I want to send all alarms (for errors) and all data that can help me to ensure that the health of my vcenter environment is good.

Can someone please help and send me the steps in order to do that? It will be helpful to also add tutorials or  documentation for each part.

(I don't know for example in what component to enable the HEC token or how to use API to send the alarms from vCenter to my Splunk)

Labels (3)
0 Karma

gballanti
Explorer

Hello,

to send syslog from vcenter to Splunk (in this case):

1. open the the vcenter service appliance (https://vcenter-ip:5480) log with root or admin account
2. in Syslog section add the receiver: IP, protocol, port (check if it works with "Send test message")

The receiver could be a machine with UF or HF where you configured a syslog service (rsyslog or syslog-ng) so you adhere to the splunk best practices (use file instead of network connection).

As i remember the next step is setting the level of log from General in vsphere environment.

I'm not really sure cause not an expert in VMware, if you need the Alerts they can be sent with SNMP Traps.

Have you had a look to splunkbase as well?

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Why did you choose HEC and not any other means of generating events? (like syslog, for example).

 

0 Karma

olivera
Explorer

I am now considering all options.  Can you explain more about the syslog solution and how to do it?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. If it works in vCenter the same as described in here https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.monitoring.doc/GUID-8F833B44-E675-4...

You're limited to email/SNMP traps out of the box. (SNMP should be processable with SC4SNMP - https://splunk.github.io/splunk-connect-for-snmp/main/)

Other than that you have to create some script on your own - you might send a simple syslog message, you might indeed POST an event via HEC. Syslog is proably easier to set up on the source side but has its limitations, especially if sent over UDP.

0 Karma

olivera
Explorer

Can you please tell me the basic steps for how to do it? I feel lost in the documentation  😞

0 Karma

PickleRick
SplunkTrust
SplunkTrust

SC4SNMP? Have no idea. Never used it before.

Other methods require creating an input on Splunk's side (which is relatively well described in several places in Splunk docs - for example here https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/UsetheHTTPEventCollector in case of HEC or here https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports in case of "syslog" inputs. But it would also require some scripting on vcenter side and here I can't help you.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...