Re: Unable to see vmware esxi syslog in splunk

meenakande · ‎04-08-2020

we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers.
In splunk we have created a index(vmware_log) and created a token for index. but still we are not able to see logs in splunk cloud?

DalJeanis · ‎04-10-2020

How did you expect to get the logs? Is the HF executing some kind of script or pull?

PavelP · ‎04-08-2020

Hello @meenakande ,

please explain your setup and post your configuration.

meenakande · ‎04-10-2020

Setup:
Vmware server name - vmware_esxi01
Heavy Forwarder - bos-syslog01
In vmware server -> config -> Advance system settings -> syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

And followed "Configure ESXi hosts using the vSphere Client" section of below document
https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts

PavelP · ‎04-14-2020

have you specified the port?

syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

after that follow this article to check if the packets are sent: https://kb.vmware.com/s/article/1031186

for example capture 10 packets on the interface vmk0 on the port 1514 and show the payload:

tcpdump-uw -i vmk0 -A -c 10 port 1514

Unable to see vmware esxi syslog in splunk

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation