VMware Cloud Community
houghtp
Contributor
Contributor
‎03-17-2009 02:34 AM
Jump to solution

Syslog server - Splunk

Hi is anyone using Splunk as their Syslog server?

I've got everything set up according to docs but i'm not seeing any logging on the splunk server

so far i've added following to end of syslog.conf

. @

then restarted syslog service

i've opened UDP 514

esxcfg-firewall -o 514,udp,out,syslog

esxcfg-firewall -l

Then in splunk i've configured a network data input to listen on UDP 514 from all hosts.

there are no other firewalls between ESX hosts and splunk server.

but no joy..

I'm using Splunk 3.4.3 46779 on Windows. I've currently got a case open with splunk but as we have no paid support with them its on best endevour, just wondered if anyone else has this working

thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
dconvery
Champion
Champion
‎03-17-2009 06:56 AM
Jump to solution

Here's how to set it up -> http://www.splunk.com/base/Community:VMwareESXSyslog

Dave Convery

VMware vExpert 2009

http://www.dailyhypervisor.com

Careful. We don't want to learn from this.

Bill Watterson, "Calvin and Hobbes"

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"

View solution in original post

Reply
0 Kudos
8 Replies
benma
Hot Shot
Hot Shot
‎03-17-2009 02:51 AM
Jump to solution

Hey Buddy,

try the followingin you syslog.conf:

[.@plunkserver]

service syslog restart

Reply
0 Kudos
houghtp
Contributor
Contributor
‎03-17-2009 03:00 AM
Jump to solution

Hi sorry that should say

  • . * @ <splunk server>

(star dot star) can't get formatting right in forum?

Reply
0 Kudos
benma
Hot Shot
Hot Shot
‎03-17-2009 03:12 AM
Jump to solution

Can you resolv your splunk server from the ESX-Host?

I don't think its needed but try to restart your splunk through the admin page

Reply
0 Kudos
houghtp
Contributor
Contributor
‎03-17-2009 03:23 AM
Jump to solution

Hi

I've confirmed all basic network connectivty . I has also restarted splunk web a few times after configuring the the data input.

thanks

Reply
0 Kudos
stevesvt
Contributor
Contributor
‎03-17-2009 05:42 AM
Jump to solution

I think it should be . port 514" and then try to generate some syslog messages.

. is going to create a ton of syslog messages.

Reply
0 Kudos
benma
Hot Shot
Hot Shot
‎03-17-2009 06:16 AM
Jump to solution

<dot><space>@IP

I've selected Set source type: Manual

source type syslog

Reply
dconvery
Champion
Champion
‎03-17-2009 06:56 AM
Jump to solution

Here's how to set it up -> http://www.splunk.com/base/Community:VMwareESXSyslog

Dave Convery

VMware vExpert 2009

http://www.dailyhypervisor.com

Careful. We don't want to learn from this.

Bill Watterson, "Calvin and Hobbes"

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
Reply
0 Kudos
houghtp
Contributor
Contributor
‎03-17-2009 07:18 AM
Jump to solution

cheers folks I had configured everything configured along these lines just didn't have syslog.conf configured exactly as it should be

*. * @splunk

had a tab not a space in between * and @ sign all working now.

thanks again.

Reply
0 Kudos