Hi @token2, To answer your questions about the VMware add-ons: ## Do You Need Both Add-ons? No, you don't necessarily need both add-ons in an environment with vCenter, but using both provides ...
See more...
Hi @token2, To answer your questions about the VMware add-ons: ## Do You Need Both Add-ons? No, you don't necessarily need both add-ons in an environment with vCenter, but using both provides more complete visibility. Here's why: 1. Splunk Add-on for vCenter: a. Collects vCenter-specific logs and metrics b. Gathers performance data through the vCenter API c. Collects vCenter Server events, tasks, and alarms d. Can collect some forwarded ESXi logs that vCenter has received (if configured to do so) 2. Splunk Add-on for VMware ESXi: a. Collects ESXi host-specific logs directly from each host b. Captures detailed host-level events that may not all be forwarded to vCenter c. Provides more granular host-level monitoring d. Essential for troubleshooting host-specific issues While vCenter does collect many ESXi logs, it doesn't necessarily collect everything. Some detailed ESXi logs remain local to the hosts and aren't forwarded to vCenter, especially debug-level logs and certain system events. Collecting directly from ESXi hosts gives you more complete visibility. ## Collection Methods for vCenter Add-on Yes, the Splunk Add-on for vCenter typically utilizes both collection methods: 1. Syslog collection: a. For operational logs and events from vCenter b. Requires configuring vCenter to forward logs via syslog 2. API access: a. For performance metrics, inventory, and task/event data b. Requires a vCenter user account with appropriate permissions c. Uses REST API calls to gather data This dual-collection approach gives you both operational logs and rich performance/configuration data. ## Recommended Setup For a complete VMware monitoring solution with vCenter: 1. If complete visibility is important: a. Install both add-ons b. Configure syslog from both vCenter and all ESXi hosts c. Set up API collection from vCenter 2. If you have resource constraints or simpler needs: a. Install the vCenter add-on only b. Ensure vCenter is configured to collect as many ESXi logs as possible c. You'll miss some host-specific details but will have good overall visibility 3. If you have a very large environment: a. Install both add-ons b. Consider selective monitoring of critical ESXi hosts only c. Use the vCenter add-on for broad monitoring and the ESXi add-on for deep dive into important hosts The biggest advantage of using both add-ons is the additional context and detail you get from direct ESXi host monitoring, especially valuable for troubleshooting host-specific issues that might not be fully visible through vCenter alone. Hope this helps clarify your VMware monitoring options in Splunk! Please give for support happly splunking ....