Technology Add-on for VMware ESXi Syslog (Community)
Overview
Details
Authentication and Web (proxy) tagging, and includes a simple overview dashboard. Works with generic syslog (sourcetype=vmw-syslog) across 6.x–8.x ESXi log formats without requiring index-time changes.
- Features
- Comprehensive parsing for ESXi: Hostd auth (login/logout), NFC file stats, vmkernel/vmkwarning storage signals, vSAN capacity, hostd-probe metadata, Rhttpproxy context.
- New program support: envoy-access (HTTP access logs), backup-check, auto-backup.sh, crx-cli.
- CIM alignment: Authentication (hostd logins/logouts) and Web (Envoy HTTP access).
- Dashboard: “ESXi: Auth & Storage” with auth trends, recent logins/logouts, vSAN used TB, and storage error table.
- Dashboard: “ESXi: Auth & Storage” with auth trends, recent logins/logouts, vSAN used TB, and storage error table.
-
Supported Inputs - Generic syslog (RFC3164/RFC5424) from VMware ESXi hosts.
- Expected sourcetype: vmw-syslog (kept intact for compatibility).
-
Key Field Extractions - Authentication (hostd): user, src, user_agent, login_time, api_invocations, action, signature
- NFC stats: nfc_path, nfc_type, nfc_session_us, nfc_open_us, nfc_bytes, nfc_transfer_us
- vmkernel/vmkwarning: Type, HostUpTime, Cpu, WorldId, SubComp, Message, device, sense_error_code, sense_key, scsi_cmd, asc, ascq, lat_us_old, lat_us_new, H, D, P, queue_status, vc_opid, vmk_opid
- vSAN (osfsd): vsan_avail, vsan_used, vsan_dedup
- Rhttpproxy: rhttp_context_b64
- hostd-probe: probe_pid, probe_version, probe_build, probe_option, probe_hardware, probe_cwd
- backup-check: backup_xmlfile, backup_schemaId
- auto-backup.sh: backup_message
- crx-cli: esx_version, esx_build, esx_option
- Envoy access: method, uri, status, src, src_port, dest, dest_port, upstream, upstream_port, tls, user_agent
-
CIM Mapping - Authentication: eventtype esxi_auth_success with tags authentication, success; fields user, src, dest, app, action, signature.
- Web (Envoy): eventtype esxi_web_http with tags web, http; aliases http_method, url, http_user_agent, src_ip, dest_ip.
-
App Content - props.conf and transforms.conf for all extractions (search-time only).
- eventtypes.conf, tags.conf, macros.conf (macro esxi_indexes for scoping).
- data/ui/views/esxi_auth_storage.xml dashboard and data/ui/nav/default.xml.
Compatibility
- Splunk Enterprise 8.2+ .
- ESXi 6.x–8.x log formats.
-
Notes
- This is a community add‑on, not affiliated with VMware or Splunk LLC.
- No inputs or index‑time settings are enforced; safe to deploy alongside other ESXi TAs.
Release Notes
Version 0.3.0
Version 0.3.0 — 2025-09-14
- New: Envoy access parser with Web CIM tagging (method, uri, status, src/dest IP:port, upstream, user_agent).
- New: Parsers for backup-check (xmlfile, schemaId), auto-backup.sh (message), and crx-cli (version, build, option).
- Improved: Program detection (explicit support for envoy-access, backup-check, auto-backup.sh, crx-cli) plus safe fallback program extractor.
- Improved: Hostd logout regex (tolerates AM/PM and long “login time” strings).
- Improved: vSAN capacity regex (supports both “osfsd[pid]: …” and “osfsd: info osfsd[pid] …”).
- Added: Compatibility stanzas for Splunk_TA_esxilogs sourcetypes ([source::vmware:esxlog:...], vmkernel/vmkwarning).
- Dashboard: “ESXi: Auth & Storage” visible by default.