- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Is there a better way to audit data from vSphere t...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a better way to audit data from vSphere tasks and events?
Hi there,
I am looking to log just audit data from our vSphere environment, so i just want to see things like DRS events, user logins, power on and offs etc - I don't want performance data logging to Splunk, so the vmware app is overkill - is there a better or simpler way to do this? the vpshere logs on the vcentre server show some events (if i just log the *.vxpd files) but these aren't formatted with proper vm names etc.
What is the best way to achieve this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could write a data collector script. This script would connect to your vCenter, using the vSphere API, collect the logs using PropertyCollector object, use a callback to check for tasks/events as they are generated (WaitForUpdatesEx), finally use the Splunk SDK to send those logs to your Splunk Instance. At least that's what I did. I used pyvmomi which is a python wrapper around the vSphere SDK.
The folowing github page has some helpful examples to get you started:
https://github.com/vmware/pyvmomi-community-samples
The following link has an example which shows how to use the Splunk SDK for Python to send data into Splunk:
http://dev.splunk.com/view/python-sdk/SP-CAAAEE6
This may be sub-optimal. I used this approach a couple of years ago. I am not sure if this is the best way to go about it.
-sk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't suppose you're willing to share your work? I was about to start the same task and wouldn't mind having already-built sample to work with.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sure there are better/more graceful ways to go about this. This should get you started. I modified this script for my purpose. https://github.com/vmware/pyvmomi-community-samples/blob/master/samples/waitforupdates.py
I wanted to write a tasks and events property collector. monitor_property_changes() is what you should look at. Once you get hold of your data in that function, you could connect to splunk using splunk's SDK and send that data. This link shows you how - http://dev.splunk.com/view/python-sdk/SP-CAAAEE6
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
