Skip to content
Luca Dell'Oca Principal Cloud Architect @Veeam
Virtual To The Core Virtual To The Core

Virtualization blog, the italian way.

  • Media
  • About me
Virtual To The Core
Virtual To The Core

Virtualization blog, the italian way.

VMware admin / Splunk noob: #2 send ESXi logs to Splunk

Luca Dell'Oca, May 28, 2013December 4, 2016

In the first post of this series, I explained how to install and configure Splunk. In this second post, I will show you how to ship ESXi logs to a Splunk server.

If a ESXi server has a local storage, logs are automatically saved in /var/log. If however a ESXi server is installed on a SD or USB media, there is no local storage to be used, and logs are saved into the ram disk; thus these logs are not retained during a reboot process. Usually, you end up with this warning:

Logs are stored on non-persistent storage

In both cases, the configuration to send logs to Splunk will be the same.

First, into the Splunk server. Splunk can receive logs arriving on every TCP or UDP port you want, but initially there is no configured “receiver”. In order to enable a syslog you need to go in Manager -> Data inputs -> UDP -> Add new, and configure it as follows.

configure Syslog Receiver in Splunk

You need to configure the port you want to use, usually UDP:514, and you choose “syslog” as log format; also, even if is not mandatory, I prefer to convert hosts record from  IP to DNS so they are more readable in the logs.

Once you saved the new receiver, let’s move into the ESXi configuration. Go into Advanced System Settings, search for parameter Syslog.global.logHost and set a value like udp://splunk_ip:514:

Remote syslog configuration in ESXi

Once the configuration is saved, the warning message disappears, and ESXi logs are shipped to Splunk.

Finally, you can configure the same parameter also on servers with local storage, so all the ESXi logs are saved inside the same log platform.

Share this:

  • Twitter
  • Facebook
  • LinkedIn
  • Email
  • Tumblr
  • Pinterest
  • Reddit
  • WhatsApp
  • Pocket
Tech 514esxiloglogsnon-persistentsplunkstoragestoragesyslogSyslog.global.logHostupdwarning

Post navigation

Previous post
Next post

Search

Sponsors

Latest Posts

  • My Automated Lab project: #2 Create a Ubuntu template in VMware vSphere with Packer
  • My Automated Lab project: #1 Install and configure the needed tools
  • Calculate space savings of a XFS volume with reflink and Veeam fast clone
  • A new whitepaper: Veeam Backup & Replication V12 enhanced security and scalability with object storage Secure Mode
  • Enable EVC mode in an existing vSphere Cluster with VCSA and VSAN in it
©2023 Virtual To The Core | WordPress Theme by SuperbThemes