Back to listing

VMware content pack

Content Pack

Graylog VMware Content Pack

dschutterop
free!

Published

29 Jan 10:11

Last Push

29 Jan 10:11

Marketplace Rating

No rating yet

Discussion

3 Comments

Your Rating

Please sign in to rate this add-on.

Comments

alias454 over 3 years ago

As another note to other remote syslog services, I send log output from a few standalone VMware hosts to a centralized rsyslog server.

template (name="VMWARE" type="string" string="1 %timegenerated:::date-rfc3339% %fromhost% %syslogtag% %msg%\n")
template (name="ESXTIMEFIX" type="string"
string="1 %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
)

#### RULES for where to send Log Files ####
# sort the logs into standard files
if $hostname == "Section" then {
*.* @@log.server.tld:514;VMWARE
stop
}

if $hostname == 'vmhost.server.tld' then {
*.* @@log.server.tld:514;ESXTIMEFIX
stop
}

Jerrison777 over 3 years ago

Just leaving this here because it took me some hours to figure it out: IF you get ESX logs and are not happy with the -1hour display due to Timzones,
hereĀ“s a fix you can add in the script above so that graylog takes the time the log was received instead of the timestamp inside the log itself:

input {
syslog {
port => "1514 "
}

}

filter {
dns { reverse => [ "host" ]
action => [ "replace" ]
add_tag => [ "dns" ]
}

syslog_pri { }

mutate {
remove_field => [ "timestamp", "@timestamp" ]
}

}

output {
gelf { chunksize => 1420
host => "127.0.0.1"
port => 12204
ignore_metadata => ["@timestamp", "@version", "timestamp"]
}
}

Now, this was tested with logstash 2.2 and worked for me.

peterloron over 3 years ago

Any thoughts on using a grok extractor to parse the logs rather than using logstash?

Please sign in to comment.

Back to listing