Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to get VMware Per VM Log files into Splunk (vmware.log)?

steubens
New Member
‎06-08-2015 10:21 AM

Hi, can anyone tell us how to get "Per VM" log files into splunk. We already have esx syslog outs going to splunk as well as the vcenter log collector... but what I want to see in splunk for troubleshooting, is the contents of the log files that are produced by each VM inside its VMFS folder as it runs... the log file is called "vmware.log" and is rolled off to subsequent vmwware-n.log files every so often by the esx server. If w can get the live contents of vmware.log streaming into splunk just like syslog does for the host, that would be AWESOME!

thanks in advance.

Tags (1)
0 Karma
Reply

lguinn2
Legend
‎06-09-2015 10:18 PM

If only there was a Splunk forwarder for ESXi! (Which VMware is unlikely to ever allow.) As sk314 suggests, you could use the API. It's not trivial, but you may be able to find some tutorials, etc. on the Internet.

Also, http://www.vmware.com/products/esxi-and-esx/management.html says "vSphere exposes logs from all system components using industry-standard syslog format, with the ability to send logs to a central logging server." However, the ESXi syslog only captures ESXi-level events. It looks like you are already doing this.

But this may work to add the vmware.log info to the ESXi syslog:

For each VM, edit the .vmx file setting as follows

vmx.log.destination = "syslog-and-disk"
Or do it via the advanced settings for a VM in the vSphere client. This should keep the normal vmware.log, but also write the events to the ESXi syslog.

Finally, you might want to take a look at Splunk's VMware app, but the app might be overkill if this is all that you want to do...

0 Karma
Reply

splunkreal
Motivator
‎06-11-2020 12:33 AM

This works:

 

https://docs.splunk.com/Documentation/AddOns/released/VMW/VMwareAPI

 

    Navigate to your virtual machine vmx file.

 

    -> Add vmx.log.destination = "syslog-and-disk" to your virtual machine vmx file.

    -> Name your vm log entry. (Example:vmx.log.syslogID = vmx[splunkdata])

 

    Check the log entry in /var/log/syslog of your ESXi host to verify the syslog is being forwarded.

* If this helps, please upvote or accept solution 🙂 *
0 Karma
Reply

sk314
Builder
‎06-09-2015 01:19 PM

You could try using the vSphere SDK for this?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...