VMware Cloud Community
D0d001
Contributor
Contributor
Jump to solution

ESXI Logs to Splunk custom port - configuration issues

Hello everybody,

I'm currently trying to configure ESXi host to send logs to Splunk using Syslog as per configuration steps explained in the Splunk Documentation.

For my specific configuration, logs must be sent to a custom port on my Splunk Heavy forwarder; as explained in the Splunk guide: "To forward to a different port, create a new outbound firewall rule as another Security Profile on the sending host."

I tried adding a custom rule in the Syslog service section in the ESXi service.xml configuration file as reported below (UDP/TCP) but the solution is not working as expected (before checking i refreshed the firewall settings and reloaded the syslog service):

<rule id='1111>

<direction>outbound</direction>

<protocol>tcp</protocol>

<porttype>dst</porttype>

<port>11233</port>

</rule>

Disabling the ESXi firewall, logs are sent to Splunk as expected.

Also saw a guide that explained that is required to create a custom VIB with my custom rule but the vibauthor tool seems deprecated. From ESXi 7.0 service.xml conf file can't be modified anymore too.

Is there a conventional (and possibly guided) solution that allows to send logs to this custom Splunk port without disabling the entire ESXi firewall? Has anyone had the same issue?

Thank you for the attention

Labels (3)
Tags (3)
Reply
0 Kudos
1 Solution

Accepted Solutions
berndweyand
Expert
Expert
Jump to solution

you dont need to edit service.xml - just keep your own splunk.xml in the /etc/vmware/firewall directory and reload the rules with esxcli

because of the boot method esxi uses your xml will be lost after reboot. a little trick solves that:

place your xml to an datastore visible to all host

edit the local.sh as described in https://kb.vmware.com/s/article/2043564

put the following lines into the local.sh:

cp /vmfs/volumes/<datastore name>/splunk.xml /etc/vmware/firewall

esxcli network firewall refresh

the modification of local.sh will remain after reboot and after patching the host

View solution in original post

Tags (1)
6 Replies
cyberwookie
Enthusiast
Enthusiast
Jump to solution

I was never fan of the ESXi firewall, but try this article:

https://kb.vmware.com/s/article/2005304

The article was written for esxi 5 but the path and commands are still available on esxi 7

It boils down to create an additional .xml file (splunk.xml), put in your own rules, and reload the firewall 

D0d001
Contributor
Contributor
Jump to solution

Hello cyberwookie,

Thanks for your response; I was able to setup the conf. file as explained in the article and the firewall is now working as expected, allowing to connect to the Splunk port from ESXi.

The only thing that needs to be solved is that in case of reboot the ESXi custom configuration file (Splunk.xml) is deleted from the firewall directory and doesn't obviously work anymore; I managed to keep the file persistent after the reboot copying it into the /store directory but it always needs to be copied again into the vmware firewall directory making it too mechanical.

Is there a way to solve this issue?

Thanks again

Reply
0 Kudos
cyberwookie
Enthusiast
Enthusiast
Jump to solution

Maybe try to edit one of the existing XML files, like service.xml or fdm.xml.

Not 100% sure if  change those files will survive a reboot either...

berndweyand
Expert
Expert
Jump to solution

you dont need to edit service.xml - just keep your own splunk.xml in the /etc/vmware/firewall directory and reload the rules with esxcli

because of the boot method esxi uses your xml will be lost after reboot. a little trick solves that:

place your xml to an datastore visible to all host

edit the local.sh as described in https://kb.vmware.com/s/article/2043564

put the following lines into the local.sh:

cp /vmfs/volumes/<datastore name>/splunk.xml /etc/vmware/firewall

esxcli network firewall refresh

the modification of local.sh will remain after reboot and after patching the host

Tags (1)
berndweyand
Expert
Expert
Jump to solution

this ruleset should work in a separate xml and will be active after esxcli network firewall refresh:

<ConfigRoot>
<service>
<id>splunk</id>
<rule id='1111'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>11233</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>

Reply
0 Kudos
D0d001
Contributor
Contributor
Jump to solution

Hello,

It worked as expected.

Thank you Berndweyand and cyberwookie for your help.
Much appreciated! Have a good day!

Reply
0 Kudos