Hi there,
I am looking to log just audit data from our vSphere environment, so i just want to see things like DRS events, user logins, power on and offs etc - I don't want performance data logging to Splunk, so the vmware app is overkill - is there a better or simpler way to do this? the vpshere logs on the vcentre server show some events (if i just log the *.vxpd files) but these aren't formatted with proper vm names etc.
What is the best way to achieve this?
Thanks!
You could write a data collector script. This script would connect to your vCenter, using the vSphere API, collect the logs using PropertyCollector object, use a callback to check for tasks/events as they are generated (WaitForUpdatesEx), finally use the Splunk SDK to send those logs to your Splunk Instance. At least that's what I did. I used pyvmomi which is a python wrapper around the vSphere SDK.
The folowing github page has some helpful examples to get you started:
https://github.com/vmware/pyvmomi-community-samples
The following link has an example which shows how to use the Splunk SDK for Python to send data into Splunk:
http://dev.splunk.com/view/python-sdk/SP-CAAAEE6
This may be sub-optimal. I used this approach a couple of years ago. I am not sure if this is the best way to go about it.
-sk
I don't suppose you're willing to share your work? I was about to start the same task and wouldn't mind having already-built sample to work with.
I am sure there are better/more graceful ways to go about this. This should get you started. I modified this script for my purpose. https://github.com/vmware/pyvmomi-community-samples/blob/master/samples/waitforupdates.py
I wanted to write a tasks and events property collector. monitor_property_changes() is what you should look at. Once you get hold of your data in that function, you could connect to splunk using splunk's SDK and send that data. This link shows you how - http://dev.splunk.com/view/python-sdk/SP-CAAAEE6