Getting Data In

Unable to see vmware esxi syslog in splunk

meenakande
New Member

we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers.
In splunk we have created a index(vmware_log) and created a token for index. but still we are not able to see logs in splunk cloud?

Tags (2)
0 Karma

DalJeanis
Legend

How did you expect to get the logs? Is the HF executing some kind of script or pull?

0 Karma

PavelP
Motivator

Hello @meenakande ,

please explain your setup and post your configuration.

0 Karma

meenakande
New Member

Setup:
Vmware server name - vmware_esxi01
Heavy Forwarder - bos-syslog01
In vmware server -> config -> Advance system settings -> syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

And followed "Configure ESXi hosts using the vSphere Client" section of below document
https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts

0 Karma

PavelP
Motivator

have you specified the port?

syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

after that follow this article to check if the packets are sent: https://kb.vmware.com/s/article/1031186

for example capture 10 packets on the interface vmk0 on the port 1514 and show the payload:

tcpdump-uw -i vmk0 -A -c 10 port 1514
0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...