I just tried to add our vmware esxi hosts to the graylog and found the “VMware content pack” in the marketplace.
My problem now:
tcpdump (on the OS) NetworkIO + throughput/Metrics on the Graylog-Website show me that there are messages comming in, but when i click on “Show received messages” there is “Nothing found”.
Why is that ?
I tried to delete the input and add that once more, but it did not solve the problem. When i change back my ESXi config to the “old” Input i see the messages comming in, but i would like to have the VMware massages on a seperate input.
Which content pack are you using?
Did you only import the content pack or did you also apply the content pack? These are to separate steps.
How did you configure the ESXi hosts to forward messages to Graylog?
Which content pack are you using?
=> https://marketplace.graylog.org/addons/30f5fbea-5d3f-4636-bbf1-6cd3f39941a2
Did you only import the content pack or did you also apply the content pack?
=> Well i thought it would be all to “Import content pack” ?!
These are to separate steps. => checked! Apply was made! Thats not the problem.
=> Ok, not sure if that is the problem.
How did you configure the ESXi hosts to forward messages to Graylog?
=> esxcli system syslog config set --loghost='udp://xxxx:'12204
=> esxcli system syslog reload
=> esxcli system syslog config get => Shows everything is fine
=> switching off the esx-firewall for testing
=> esxcli system syslog reload
Ok, i got that.
The last question would be how to tell my “normal” Input (in Graylog) to forward these messages to the next input.
Btw: Seems to me there should be a way to send the vmware logs to an other input to have them seperated first ? Doesn`t that make more sense ? Would it be “best practice” to do it like this ?
1.) Our syslog INPUT on Port 514 gets the messages form all linux and esxi servers
2.) I can look them up in the “Stream” and filter them with rules
That worked find for Linux Syslogs but not for the ESXi logs as the fields are different.
The the next idea was to make a new input, let the esx host send the logs to that input and have them look correct.
Now I have switched back to sending all the logs to one input and now i can not filter for “source” as “source-field” is with value “verbose” as ESXi does not send standard syslog.
I tought that these new input comming with the content pack would sort the fields correctly and give me the opportunity to seperate the ESXi logs from the Linux logs, so that I can build special filters only on Linux or only on ESXi logs.
Did i get it all wrong ?
I see the possibility to have all logs in one input, but how should the filters work when the fields a scrambled ?
You can use a Raw/Plaintext UDP input for receiving the logs from ESXi hosts and use extractors or pipeline rules to extract the required information from these logs:
I thought there might be a “out-of-the-box” solution for monitoring ESXi hosts as that would be interesting for quite a few admin.
Do you know a better way to do it ?
Otherwise:
I fall back to the idea of creating a INPUT only for the ESXi logs and tweak that so it would look correct ?