Send ESXi 5.0 Syslog to Splunk

1) Install Splunk. In my example, I use Linux as the Splunk server.

rpm -i splunk-4.3.4-136012-linux-2.6-x86_64.rpm

/opt/splunk/bin/splunk start

2) Go the web server http://dev-linux-01:8000 to open the TCP and UDP 514 port.




Do the same to open UDP port 514.

3) Login to the ESXi host to configure the remote syslog host.

esxcli system syslog config set --loghost='tcp://dev-linux-01:514'

Confirm the settings has been changed:                                

esxcli system syslog config get

   Default Rotation Size: 1024
   Default Rotations: 8
   Log Output: /vmfs/volumes/4f7ac000-74fed078-3c5d-5cf3fcad2d4a/Logs
   Log To Unique Subdirectory: true
   Remote Host: tcp://dev-linux-01:514

Open the outgoing port in firewall:

esxcli network firewall ruleset set –ruleset-id=syslog –enabled=true
esxcli network firewall refresh

Reload the syslog settings:

esxcli system syslog reload

Now you should be able to see the syslog coming from ESXi host in Splunk.


NOTE: ESXi uses UTC in log time stamp.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s