Even if Splunk is available also in a free edition with some limit, one of those limits is right the lack of the dedicated App for VMware. Splunk in fact has a common baseline for both the versions, and you can enrich it with tons of Apps, some developed directly by Splunk (like this one I’m going to describe in this post), other free and developed by a really active Community.
Splunk for VMware is available only for the Windows version of vCenter, not for the appliance one. Also, the license should be able to ingest at least 600-1000 Mb logs per host. Not a small number, so check carefully the size of your infrastructure.
The infrastructure used by Splunk for VMware has three different modules, as described in this diagram.
Let’s try to install all of them!
First, you need to create a service account with limited permissions in vCenter. Splunk has a dedicated paper with step-by-step instructions. Follow it.
Once the account is ready, you should install the Splunk App. The installation is described in this webpage. It’s easier than what it seems, at the end you only need to upload the zip file into the Splunk server(s), unzip it and copy its content in the app directory inside Splunk. If you have a single Splunk server installed with default parameters, the content needs to be copied into /opt/splunk/etc/apps.
Once you restarted Splunk, you will find a mew module in the home page, exactly the VMware one:
The setup is only for configuring quotes to the searches. The App is ready, and Splunk redirects you to the VMware home page, where you can see some interesting searches available:
This is only the first part of the activity. Move to the vCenter Add-On component. This component is based on the Splunk Universal Forwarder, so you need to install it before, into vCenter. Once it’s installed, the forwarder is easy to be configured, and you can once again follow the installation step on the Splunk website.
Once the forwarder is ready, install the vCenter Add-On. Once again follow the instructions: unzip the package and copy its content in the etc/apps folder inside Splunk installation in vCenter. in the “defaults” directory you will find a file named inputs.conf, copy it into the “local” directory (it’s not existing at this point, you need to create it), then edit the file and set “disabled = false”, and finally restart the forwarder.
Last step, you need to deploy the FA VM. It’s a virtual appliance, used to collect logs and informations from all the ESXi hosts and VMs. Deploy is really simple, as usual you need to deploy a new VM from the template, power it on and configure networking… even here, take a look at the installation docs. Be warned, it takes many many steps! Only a warning here: if you cannot login into the virtual appliance console, don’t think the passwords are wrong, but remember instead the keyboard delay!
Once Splunk is ready, give it some time to collect information about the environment, and you will see data appearing in the web interface. My lab has not so much data to show, but from here on your only limit is your fantasy about what kind of searches you want to do!
