VMware Content Pack for ESXi Hypervisor and vCenter with Dashboard and Extractors for 7.x, 6.7, 6.5, 6.0, and 5.5

VMware Content Pack for ESXi Hypervisor and vCenter with Dashboard and Extractors for 7.x, 6.7, 6.5, 6.0, and 5.5


View on Github
Open Issues

Provides Graylog Dashboards for all Hypervisors, Storage performance, DVS Messages, Vmware version, Storage path failures, Host/Device Performance issues, Memory/CPU alerts, Last list of vmotions, MAC to DVS, VMware port group to hypervisor, Last login failures, Last successful logins, Last 2 hours guests attempting network sniffing, TOP LDAP users, and Vmware virtual machines recent changes by users all in a simple to use Dashboard competely customizable! To get the best benefit make sure your graylog instance is configured for syslog UDP, and make sure to use distributed switching within vmware! Have fun! Extractions using GROK, I’ve not had the time to change this to regex!

New: Cohesity Extractors and Dashboard for Backups New: Dell and Cisco UCS Extractions New: VMware 7 regex extractions New: Security Extractions

  1. Download content_pack.json and install it under System/Input Content Packs
  2. Download vmware_vcenter_extractors and import it under the System/Inputs/Manage extractors
  3. It is recommended to apply a dedicated bucket ports/syslog input for vmware to structure your data!
  4. Make sure you point your syslog for both hypervisors and vcenters, start receiving your data. View the Vmware Dashboard.
  5. Wait for your data to start coming in.
1 Like

I’ve installed this content pack but I’m seeing nothing. Is this supposed to just work automagically?

Each widget is displaying “Elasticsearch exception [type=index_not_found_exception, reason=no such index ]”

I’m new to GL and have only the default index. Do I need a specific index for this?
My ESXi host are indeed pushing syslog to my GL instance via tcp (instead of udp). Could that be the issue?
I’m hoping this ‘just works’ as I learn GL because I’d like to propose GL in a POC so I’m hoping to get some visuals in the dashboard w/o needing (yet) to have significant GL experience/knowledge.

Hi, Joe,

Thanks for your contribution and update. Please check your content pack update to ensure that it’s properly marked and in the right place in the Marketplace.

Also, I’d like to introduce your work to the community. Please contact me at david.sciuto@graylog.com and I’ll include information on how the community can help to highlight the work Open Community members are doing in the Marketplace. I liked to help bring attention to your update.

Please make sure you enable the high port via iptables, graylog starts on 1514/udp or tcp, please

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
1 Like

Just an FYI if your using vmware 6.7 there is a bug in the syslog service VMware Knowledge Base

This is resolved in vSphere 6.7 U3g, Build 16046470.

But if your not upto that version to get logs reliebly I added a cronjob to vcenter to restart the service, for me every hour has been good.


Hi @dcecchino,
the extractors for vSphere 7 look for some lookup tables, but I can’t find them in the content pack.
Am I missing something from the docs?

Much apologies, I have removed those, as those I have for my lab testing.

If you do want to play with them you’ll have to create a lookup index/etc…

vmware7_datacenterlookup_by_hypervisor basically finds the datacenter id associated to the hypervisor source hostname

vmware_folder_name is if you create vmware folders I extract the folder_name by the vmware_guest_machine

Though if you are not getting to advanced with lookups, I won’t look at any further.


Thank you for creating this, and it is obvious a lot of time has been put into this.

With the number of extraction rules though, it could really do with having the option to only try an extract if it contains the right start of the message. I did import the rules, but it completely melts the CPU due to the large extractions. I have seen some extractions take up to 7 seconds.

having issues with the dashboard when using Graylog 5.0.2+59d96f8.

The error I get is in the VMware Dashboard view. Query parsing error: Cannot parse query, cause: ‘*’ or ‘?’ not allowed as first character in WildcardQuery.

found it. i needed to enable the allow_leading_wildcard_searches = true in the config file.

is this project still alive and working for version 7?
my extractors are not working version 5 of Graylog.

this is my input

this is a snip of the extractors

i get an error / warning that failure_type does not exist.

Most like you get these errors because you’ve not injested the data yet that would produce these errors

1 Like

I have a lot of data coming in from Vmware already. /R suggests the extractors are not working but I’m not sure how to troubleshoot.

Make sure your extractor is applied to the input, tcp or udp. Works for many people already including myself.

Also your vmware input is listening in on 1517 you need to forward your data via iptables from 514/udp to that 1517 input.

here are some examples.
On the dashbaord, I focus on the bad login section
clicking edit, shows unknown field
here is a log of an entry of a failed login that was sent to Graylog

and here is the extractors

You aren’t extracting an ip address, edit that panel and remove ip address group by field, save the panel, refresh.

I think this is my point. I made no changes to the dashboard. this is all stock.
To confirm, you are asking me to REMOVE the follow section in the screen shot? If so, why? I would like to know where the attempt came from.

also, it does look like im doing by IP