First off, I've been using Splunk for about two weeks so I am not all that familiar with how things are suppose to work.
I have Splunk Light installed on Linux (and so far, it is receiving forwarded logs from two windows servers and two linux servers as well as syslogs from our two firewalls. So far, so good.
I am trying to get Splunk to receive logs from our three ESXi hosts (two are 5.5 and one is 6.0) without any luck. I tried forwarding them to the default 514 port on Splunk, but Splunk said it was unable to create a listener on that port (due to not running as root from what I've read), so I configured ESXi to send its syslog to the same listener (on port 33514) that I am using for the firewall syslogs, but it doesn't look like I can modify the firewall on ESXi to send to that port (only 514 and 1514 are options).
So I created a second listener on port 1514 on Splunk, which worked, but when I configured ESXi to send to that host:port combination, Splunk doesn't receive the data.
I read around, and found that there is a Splunk Add-on for VMware - but couldn't find it in my Add-on lists. I'm confused about how to install this, or where.
I also found an OVA for a Splunk DCN and installed that on one of the ESXi hosts. Went through the configuration and got this error:
License master configuration: Fail
In handler 'localslave' : editTracker failed, reason='WARN: path=/masterlm/usage: This license does not support being a remote master. from ip=10.25.1.24'
So now I am just really lost on which method is the recommended method to get ESXi syslogs to a Splunk Light server.
... View more