VMware Content Pack for ESXi Hypervisor and vCenter with Dashboard and Extractors for 7.x, 6.7, 6.5, 6.0, and 5.5

Published

26 Jun 08:22

Last Push

15 Dec 11:05

Marketplace Rating

No rating yet

Discussion

10 Comments

Readme from Github

glog vmware content pack and extractors for graylog confirmed tested on 3.x and 4.x graylog-server

Provides Graylog Dashboards for all Hypervisors, Storage performance, DVS Messages, Vmware version, Storage path failures, Host/Device Performance issues, Memory/CPU alerts, Last list of vmotions, MAC to DVS, VMware port group to hypervisor, Last login failures, Last successful logins, Last 2 hours guests attempting network sniffing, TOP LDAP users, and Vmware virtual machines recent changes by users all in a simple to use Dashboard competely customizable! To get the best benefit make sure your graylog instance is configured for syslog UDP, and make sure to use distributed switching within vmware! Have fun! Extractions using GROK, I've not had the time to change this to regex!

Download content_pack.json and install it under System/Input Content Packs
Download vmware_vcenter_extractors and import it under the System/Inputs/Manage extractors
It is recommended to apply a dedicated bucket ports/syslog input for vmware to structure your data!
Make sure you point your syslog for both hypervisors and vcenters, start receiving your data. View the Vmware Dashboard.
Wait for your data to start coming in.

#Enable high port on graylog server iptables

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514

Tune your esxi syslog configuration via ssh

sed -i 's/verbose/error/g' /etc/vmware/vpxa/vpxa.cfg

sed -i 's/verbose/error/g' /etc/vmware/hostd/config.xml

sed -i 's/verbose/error/g' /etc/vmware/rhttpproxy/config.xml

sed -i 's/verbose/error/g' /etc/opt/vmware/fdm/fdm.cfg

sed -i 's/info/error/g' /etc/vmware/hostd/probe-config.xml

esxcli system syslog config set --loghost='udp://update_syslog_ip_or_hostname:514'

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

esxcli network firewall refresh

/etc/init.d/vmware-fdm restart

/etc/init.d/rhttpproxy restart

/etc/init.d/hostd restart

/etc/init.d/vpxa restart

esxcli system syslog reload

TODO list migrate extractors to reg expression

Your Rating

Please sign in to rate this add-on.

Comments

dcecchino about 1 month ago

There was an issue with a line on the extractor and has been updated, thanks to all that identified the issue.

markusg80 about 1 month ago

@cgendrew i have the same issue. Dont know why this happens?! My Graylog is 4.0.0 without enterprise plugins

cgendrew about 1 month ago

Hello, graylog neophyte here. How do you propertly install the extractors? Under SYSTEM/INPUT > manage extractors > Actions/Import Extractors ; i copy vmware_vcenter_extractors to Extractors JSON field and get error: "Could not import extractors. There was an error while parsing extractors. Are they in JSON format? SyntaxError: Unexpected token ] in JSON at position 149998."

dcecchino 4 months ago

@wdsoflo1 DVS and MAC pipelines rules are future use for feeding vmotion ports and mac addresses into the dashboard, however I already have a dashboard for that right now that should be operational. You can also use look up tables to create vmware datacenter names or assign fields that relate hypervisor to vcenters. Lots of cool stuff with graylog you can do. Alerting also very good too now!

Geo-Ron 4 months ago

This content pack is terrific!
Only thing I have is that it kicks my machine to 100% cpu in the processing buffer when I target al my 16 hosts to the input. Need to sort that out..

wdsoflo1 4 months ago

Thank you @dcecchino for sharing this.
I was able to get this working by doing a syslog TCP input instead of UDP and by using port 1514 since ESXi 6 already has this port open. I see you have a pipeline called Vmware Network DVS and MAC but not rules are applied to it. What is this pipeline suppose do do?

kblack71 5 months ago

@zaheerabbas1988 Just Stumbled opon this. If your input does not recieve any messages, this is your problem: esxcli system syslog config set --loghost='udp://update_syslog_ip_or_hostname:514'. Graylog does not listen to the system reserved port 514. ESXi does not send to a high port.. You need to forward on the recieving side from 514 to "what ever highport" your input uses.

zaheerabbas1988 6 months ago

@Hucktx105 did you manage to solve this isssue?

dcecchino about 1 year ago

Apologies, I just now saw this comment. Make sure you apply the extractors to the TCP input, there could be some there dependency that you are missing. Perhaps by now you have corrected it, if not hope you get it working!

Hucktx105 over 1 year ago

Installed the content pact and extractors. Created a Syslog TCP input and data is being collected but Dashboard is blank. Do i have the correct input for the content pact? My Vmware is 6.7 update 3

Please sign in to comment.

Back to listing