×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
onlyenz404
New Member
Member since: Friday
Saturday
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎12-05-2025
View All

VMware ESXI generic syslog sources (auth, shell) n...

by in Getting Data In
Friday
Friday
Hi. I've asked this question in the Splunk Connect for Syslog GitHub repository as it relates to that product, but following their advice on similar issues and after not receiving any responses, I'm reaching out here. Environment: I'm ingesting logs from a VMware ESXi host into Splunk in a lab environment. I have two virtual machines installed on VMware Workstation Pro 17.5: ESXi machine (4GB RAM, 2 CPU cores) Rocky Linux 10.0 machine (minimal ISO, 4GB RAM, 2 CPU cores) On the Rocky Linux machine, I have a Splunk HF server and SC4S installed via Docker with docker-compose, using this image: ghcr.io/splunk/splunk-connect-for-syslog/container3:3.38.1 Configuration: My env_file contains: SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://192.168.25.134:8088 SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=e766e25f-dcd2-4434-9920-69f72a5964e7 SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY=no SC4S_USE_NAME_CACHE=yes SC4S_SOURCE_VMWARE_VSPHERE_GROUPMSG=yes SC4S_USE_VPS_CACHE=yes SOURCE_ALL_SET=DEFAULT,VMWARE_VSPHERE SC4S_LISTEN_VMWARE_VSPHERE_TCP_PORT=5514 SC4S_LISTEN_VMWARE_VSPHERE_RFC6587_PORT=5514 The Problem: I'm interested in logs from these ESXi files: hostd.log vobd.log vmkwarning.log auth.log shell.log Most logs are correctly tagged with the appropriate sourcetype (e.g., hostd.log appears as vmware:esxlog:hostd). However, auth.log and shell.log continue to be tagged with nix:syslog instead of VMware-related sourcetypes. What I've Tried: Following the SC4S documentation, I added the configuration parameters listed above to my env_file. I also created a custom VPS parser at /opt/sc4s/local/config/app_parsers/app-vps-vmware_vsphere.conf: application app-vps-test-vmware_vsphere[sc4s-vps] { filter { host("-esx-") }; parser { p_set_netsource_fields( vendor('vmware') product('vsphere') ); }; }; I've tested multiple variations, including: Using different filter patterns (netmask, full hostname, host("-esx-") exactly as documented) Combining different filter approaches simultaneously Unfortunately, none of these approaches have resolved the issue. Any guidance would be greatly appreciated! ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
Saturday