ESX servers:
Connect to your ESX server, log in as root.
Edit /etc/syslog.conf.
Add the following line to the bottom of the file. This will forward all the logs to your Splunk server.
*.* @splunksvr.mydomain
Restart the syslog service:
service syslog restart
Open the local firewall to allow UDP over port 514:
esxcfg-firewall -o 514,udp,out,syslog
Reload the firewall configuration:
esxcfg-firewall -l
If you want to capture information from the /var/log/vmware/hostd.log do the following:
SSH over to your ESX server. You will need sudo or root access to complete the following.
Edit /etc/vmware/hostd/config.xml with your favorite editor and change it to look like the following:
<log>
<directory>/var/log/vmware/</directory>
<name>hostd</name>
<outputToConsole>true</outputToConsole>
<level>info</level>
</log>
Restart the ESX Management Agents:
service mgmt-vmware restart
ESXi servers:
The process is much simpler simply run the following:
vicfg-syslog --server esxhostsvr.mydomain.com -s splunksvr.mydomain.com -p 514
Or
Using the Vcenter console go to the advanced options under the “configuration” tab and look for the “syslog” option. I may post screenshots later if I have the time.
No comments:
Post a Comment