Getting Data In

Why am I unable to collect Syslogs for VMWare 5.5.0 on Splunk 6.2.1?

New Member

Hi Everyone,

I have a problem to collect Syslogs for VMWare 5.5 on Splunk 6.2.1 that is installed in a Linux Virtual Machine (ElementaryOS version 0.2.1).

So, I executed the steps on the tutorials below:
1) http://wiki.splunk.com/Community:VMwareESXSyslog
2) http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200332...

However, I am always having the same problem.

THE LOGS ARE NOT TRANSMITTED IN ANYWAY TO SPLUNK 6.2.1.

Someone's been through a similar situation and could help me?

0 Karma

Path Finder

I ran into this problem.

I installed the DCN, the connections all checked out green, and I was ready to go. I did a search and my VMwre app dashboard all came up with data. Brillant, so far.

The Data Collection Node (DCN) that comes with Splunk has a 5GB disk. The default for for the dispatcher for doing searches is 5GB. What happened to me is that the VMware app came up, populated the dashboards, and then never collected another thing. The reason, revealed by tailing the splunkd.log file on the DCN is that there was not enough space on the virtual disk drive on the DCN VM. I solved it by having the VM admin up the space available to $SPLUNK_HOME directory on the DCN. Ultimately, I rolled my own DCN because the VMWare schema couldn't (or wouldn't) grow the VM directory. Splunk was in /home/splunk vice /opt/splunk. oh well.

The other possible solution is to change the minimum disk space required for the dispatcher in Splunk when conduction searches. You could lower it to 2 GB and then start getting search data back. If you problem is similar to the one I encountered, this might help.

0 Karma