Getting Data In

Unable to see vmware esxi syslog in splunk

meenakande
New Member

we are forwarding vmware esxi syslog to splunk by using heavy forwarder. we have not installed any universal forwarder in our esxi servers.
In splunk we have created a index(vmware_log) and created a token for index. but still we are not able to see logs in splunk cloud?

Tags (2)
0 Karma

DalJeanis
Legend

How did you expect to get the logs? Is the HF executing some kind of script or pull?

0 Karma

PavelP
Motivator

Hello @meenakande ,

please explain your setup and post your configuration.

0 Karma

meenakande
New Member

Setup:
Vmware server name - vmware_esxi01
Heavy Forwarder - bos-syslog01
In vmware server -> config -> Advance system settings -> syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

And followed "Configure ESXi hosts using the vSphere Client" section of below document
https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts

0 Karma

PavelP
Motivator

have you specified the port?

syslog.global.loghost=tcp://bos-syslog01.acadian-asset.com

after that follow this article to check if the packets are sent: https://kb.vmware.com/s/article/1031186

for example capture 10 packets on the interface vmk0 on the port 1514 and show the payload:

tcpdump-uw -i vmk0 -A -c 10 port 1514
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...