jvalente-salemstate
commented
6 months ago I agree. I am actually in the process of getting system configurations ready so I can enable a few integrations, including vSphere. The need for syslog for the logs data stream isn't apparent from this, meaning someone would need to go back and get the syslog forwarding working once they go to enable the integrations. It would be good to know this beforehand.
Looking at the sample logs and what's being parsed, some documentation on what needs to be enabled in vSphere / ESXi would be great too. It seems there is syslog from the ESXi hosts and vCenter itself. The latter is covered in the link you shared but remote syslog needs to be set up in the ESXi configuration.
I have a few questions about the vSphere Integration, more specifically about collecting the logs part
From our documentation:
To access the logs, from the Kibana UI, you have to specify the network-accessible IP address of the host where the Elastic Agent will be deployed. (connected to the point 1.) - In this case, the user would have to configure syslog forwarding to the
IP:portof the machine the Elastic Agent is installed on and that was configured in the integration. But this is not quite clear in the documentation, so it would be great if we could add more information here?Also, I'm not an expert in this area, but this seems to be a way to enable the log forwarding from the vSphere: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vcsa.doc/GUID-9633A961-A5C3-4658-B099-B81E0512DC21.html
event.kindgives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.But I'm not sure what alerts mean in this context and if it is possible to include alarms data in vSphere syslog and if this is the case, if we can parse them or not with our integration.