Graylog ESXi Setup Help

I am not able to get ESXi and graylog to play with each other. I had them talking when I was testing graylog using the OVA. But I have since installed Ubuntu 14.07 and setup graylog following the doc on graylogs site. I am to read windows events using sidecar but nothing from ESXi. I am using vmware content pack which when applied it created an input called Logconverter Non-RFC Compliant -> GELF on port 12204. I have setup ESXi to forward to port 1514 (firewall is opened for port). Do I need to install logstash? How do I do that if so?

your issue is something complete different from the issue @freebird317 is talking off … please open a new thread if you have any problems setting up the OVA and do not capture other threads.

I did not know what the content pack does - you did not provide a link to your used one.

But if you have one input on port 12204 it does not make sense to forward your logs to port 1514 where nothing is listening. right?

Just to make it simple I have removed all imputs execpt my beats for windows. This is the content pack I am using https://marketplace.graylog.org/addons/30f5fbea-5d3f-4636-bbf1-6cd3f39941a2 I have “applied the content” and it created one golbal input called “Logconverter Non-RFC Compliant -> GELF” on port 127.0.0.1:12204. I then created a GELF output on 127.0.0.1:12204.

@freebird317

the content pack needs logstash running for parsing the messages into GELF - so that might be not the best choice if you did not have that running.

What is the best way to get ESXi logs in to graylog?

Configure ESXi syslog

First I would suggest to move ESXi logs from /tmp/scratch to permanent storage.

Then disable firewall on ESXi and see if it hepls

[root@SA-ESXI1:~] esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true
[root@SA-ESXI1:~] esxcli network firewall set -e=false
[root@SA-ESXI1:~] esxcli network firewall refresh
[root@SA-ESXI1:~] esxcli network firewall get
Default Action: DROP
Enabled: false
Loaded: true

Finally I would recommend logstash to filter out events because ESXi sends a lot of useless info

input:

syslog {
port => 1514
type => “esxi”
}

filter

if [type] == “esxi” {

    if [program] in ["Rhttpproxy","Hostd","Vpxa","vmkernel"] { drop { } }

}

output:

if [type] == “esxi” {
gelf { host => “127.0.0.1” port => 12223 }
}

In this case you do not need any content packs, just create simple GELP UDP input

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.