Re: Unable to see vmware esxi syslog in splunk

meenakande · ‎04-08-2020

we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers.
In splunk we have created a index(vmware_log) and created a token for index. but still we are not able to see logs in splunk cloud?

DalJeanis · ‎04-10-2020

How did you expect to get the logs? Is the HF executing some kind of script or pull?

PavelP · ‎04-08-2020

Hello @meenakande ,

please explain your setup and post your configuration.

meenakande · ‎04-10-2020

Setup:
Vmware server name - vmware_esxi01
Heavy Forwarder - bos-syslog01
In vmware server -> config -> Advance system settings -> syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

And followed "Configure ESXi hosts using the vSphere Client" section of below document
https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts

PavelP · ‎04-14-2020

have you specified the port?

syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

after that follow this article to check if the packets are sent: https://kb.vmware.com/s/article/1031186

for example capture 10 packets on the interface vmk0 on the port 1514 and show the payload:

tcpdump-uw -i vmk0 -A -c 10 port 1514

Unable to see vmware esxi syslog in splunk

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!