Graylog ESXi Setup Help

freebird317 · March 2, 2018, 3:37pm

I am not able to get ESXi and graylog to play with each other. I had them talking when I was testing graylog using the OVA. But I have since installed Ubuntu 14.07 and setup graylog following the doc on graylogs site. I am to read windows events using sidecar but nothing from ESXi. I am using vmware content pack which when applied it created an input called Logconverter Non-RFC Compliant -> GELF on port 12204. I have setup ESXi to forward to port 1514 (firewall is opened for port). Do I need to install logstash? How do I do that if so?

jan · March 2, 2018, 4:55pm

your issue is something complete different from the issue @freebird317 is talking off … please open a new thread if you have any problems setting up the OVA and do not capture other threads.

jan · March 2, 2018, 4:57pm

I did not know what the content pack does - you did not provide a link to your used one.

But if you have one input on port 12204 it does not make sense to forward your logs to port 1514 where nothing is listening. right?

freebird317 · March 2, 2018, 5:18pm

Just to make it simple I have removed all imputs execpt my beats for windows. This is the content pack I am using https://marketplace.graylog.org/addons/30f5fbea-5d3f-4636-bbf1-6cd3f39941a2 I have “applied the content” and it created one golbal input called “Logconverter Non-RFC Compliant -> GELF” on port 127.0.0.1:12204. I then created a GELF output on 127.0.0.1:12204.

jan · March 2, 2018, 5:39pm

@freebird317

the content pack needs logstash running for parsing the messages into GELF - so that might be not the best choice if you did not have that running.

freebird317 · March 2, 2018, 5:42pm

What is the best way to get ESXi logs in to graylog?

bubba198 · March 2, 2018, 9:23pm

Configure ESXi syslog

ysus · March 5, 2018, 4:48pm

First I would suggest to move ESXi logs from /tmp/scratch to permanent storage.

Then disable firewall on ESXi and see if it hepls

[root@SA-ESXI1:~] esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true
[root@SA-ESXI1:~] esxcli network firewall set -e=false
[root@SA-ESXI1:~] esxcli network firewall refresh
[root@SA-ESXI1:~] esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true

Finally I would recommend logstash to filter out events because ESXi sends a lot of useless info

input:

syslog {
port => 1514
type => “esxi”
}

filter

if [type] == “esxi” {
    if [program] in ["Rhttpproxy","Hostd","Vpxa","vmkernel"] { drop { } }
}

output:

if [type] == “esxi” {
gelf { host => “127.0.0.1” port => 12223 }
}

In this case you do not need any content packs, just create simple GELP UDP input

system · March 19, 2018, 4:48pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
VMWare host syslog Graylog Central (peer support)	7	6419	April 2, 2019
Vmware esxi 6 logs Graylog Central (peer support)	2	2726	June 15, 2017
Stuck newbie can't search and display Graylog Central (peer support)	3	507	July 9, 2018
Collect UDP Syslogs Graylog Central (peer support)	5	2511	November 12, 2020
Just not ingesting any logs Graylog Central (peer support)	10	1456	March 19, 2019

Graylog ESXi Setup Help

Related Topics