Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

VMware ESXI generic syslog sources (auth, shell) not properly sourcetyped as vmware:esxlog

onlyenz404
New Member
‎12-05-2025 10:02 PM

Hi. I've asked this question in the Splunk Connect for Syslog GitHub repository as it relates to that product, but following their advice on similar issues and after not receiving any responses, I'm reaching out here.

Environment: I'm ingesting logs from a VMware ESXi host into Splunk in a lab environment. I have two virtual machines installed on VMware Workstation Pro 17.5:

  1. ESXi machine (4GB RAM, 2 CPU cores)
  2. Rocky Linux 10.0 machine (minimal ISO, 4GB RAM, 2 CPU cores)

On the Rocky Linux machine, I have a Splunk HF server and SC4S installed via Docker with docker-compose, using this image: ghcr.io/splunk/splunk-connect-for-syslog/container3:3.38.1

Configuration: My env_file contains:

SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://192.168.25.134:8088
SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=e766e25f-dcd2-4434-9920-69f72a5964e7
SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no
SC4S_USE_NAME_CACHE=yes
SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG=yes
SC4S_USE_VPS_CACHE=yes
SOURCE_ALL_SET=DEFAULT,VMWARE_VSPHERE
SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT=5514
SC4S_LISTEN_VMWARE_VSPHERE_RFC6587_PORT=5514

The Problem: I'm interested in logs from these ESXi files:

  • hostd.log
  • vobd.log
  • vmkwarning.log
  • auth.log
  • shell.log

Most logs are correctly tagged with the appropriate sourcetype (e.g., hostd.log appears as vmware:esxlog:hostd). However, auth.log and shell.log continue to be tagged with nix:syslog instead of VMware-related sourcetypes.

What I've Tried: Following the SC4S documentation, I added the configuration parameters listed above to my env_file. I also created a custom VPS parser at /opt/sc4s/local/config/app_parsers/app-vps-vmware_vsphere.conf:

application app-vps-test-vmware_vsphere[sc4s-vps] {
  filter { host("-esx-") };
  parser {
    p_set_netsource_fields(
      vendor('vmware')
      product('vsphere')
    );
  };
};

I've tested multiple variations, including:

  • Using different filter patterns (netmask, full hostname, host("-esx-") exactly as documented)
  • Combining different filter approaches simultaneously

Unfortunately, none of these approaches have resolved the issue. Any guidance would be greatly appreciated!

Labels (2)
Labels
Tags (1)
0 Karma
Reply

Wander
Path Finder
‎12-17-2025 02:01 PM

Hey
Looking at this and have a few questions that hopefully should help

1. I see you have ESXi sending syslog to SC4S TCP and RFC6587.  Is it going to a dedicated VMware port or a shared one?

2. For the misclassified events, what does the program field show (for example sshd)?

3. Can you paste one raw auth.log or shell.log event as it hits Splunk?

4. Did you restart the SC4S container after adding it?

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...