VMware content pack importet, but "Show received messages" stays empty

Hello!

I just tried to add our vmware esxi hosts to the graylog and found the “VMware content pack” in the marketplace.

My problem now:

tcpdump (on the OS) NetworkIO + throughput/Metrics on the Graylog-Website show me that there are messages comming in, but when i click on “Show received messages” there is “Nothing found”.

Why is that ?

I tried to delete the input and add that once more, but it did not solve the problem. When i change back my ESXi config to the “old” Input i see the messages comming in, but i would like to have the VMware massages on a seperate input.

Any ideas ?

Doing a restart in the meantime…:frowning:

Which content pack are you using?
Did you only import the content pack or did you also apply the content pack? These are to separate steps.
How did you configure the ESXi hosts to forward messages to Graylog?

Which content pack are you using?
=> https://marketplace.graylog.org/addons/30f5fbea-5d3f-4636-bbf1-6cd3f39941a2
Did you only import the content pack or did you also apply the content pack?
=> Well i thought it would be all to “Import content pack” ?!
These are to separate steps. => checked! Apply was made! Thats not the problem.
=> Ok, not sure if that is the problem.
How did you configure the ESXi hosts to forward messages to Graylog?
=> esxcli system syslog config set --loghost='udp://xxxx:'12204
=> esxcli system syslog reload
=> esxcli system syslog config get => Shows everything is fine
=> switching off the esx-firewall for testing
=> esxcli system syslog reload

The content pack you’ve linked to is using a GELF UDP input on port 12204, not a Syslog UDP input.

Please refer to the README of that content pack for details how to use it.

Ok, i didn`t get that. So the esx-Hosts need to send there logs to the Syslog-Port 514 and

The output {…} tells it to forward that to the “other” listener ?

Logstash is being used to receive messages on port 1514, processes them, and then send GELF UDP messages to Graylog on port 12204.

Ok, i got that.
The last question would be how to tell my “normal” Input (in Graylog) to forward these messages to the next input.

Btw: Seems to me there should be a way to send the vmware logs to an other input to have them seperated first ? Doesn`t that make more sense ? Would it be “best practice” to do it like this ?

What do you mean?

Why? You can separate them with their source field, unless you’re collecting them before and let the aggregator send them to Graylog.

I tought it would be like:

1.) Our syslog INPUT on Port 514 gets the messages form all linux and esxi servers
2.) I can look them up in the “Stream” and filter them with rules

That worked find for Linux Syslogs but not for the ESXi logs as the fields are different.

The the next idea was to make a new input, let the esx host send the logs to that input and have them look correct.

Now I have switched back to sending all the logs to one input and now i can not filter for “source” as “source-field” is with value “verbose” as ESXi does not send standard syslog.

I tought that these new input comming with the content pack would sort the fields correctly and give me the opportunity to seperate the ESXi logs from the Linux logs, so that I can build special filters only on Linux or only on ESXi logs.

Did i get it all wrong ?

I see the possibility to have all logs in one input, but how should the filters work when the fields a scrambled ?

You can use a Raw/Plaintext UDP input for receiving the logs from ESXi hosts and use extractors or pipeline rules to extract the required information from these logs:

Yes, the author of the content pack was using Logstash to normalize the logs from ESXi. You left that out completely.

Maybe you can file an issue with your questions in the original repository: Issues · dschutterop/VMware-Content-Pack · GitHub

I thought there might be a “out-of-the-box” solution for monitoring ESXi hosts as that would be interesting for quite a few admin.
Do you know a better way to do it ?

Otherwise:

I fall back to the idea of creating a INPUT only for the ESXi logs and tweak that so it would look correct ?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.