As you can see, SexiLog receives the logs from your VCSA server, but they are not correctly interpreted.
Indeed, if you look in the "hostname" column, you will see values that are not hostnames.
If you look at the event corresponding to the test message sent by vCenter, you will see that it is indeed this test message sent by vcsa.
The host in our case is: 10.0.0.104 (which corresponds to the IP address of our VCSA server).
The type used to interpret this event is "esxi".
Which explains why this event is not interpreted correctly.
As explained previously (in step "6.3. Restart SexiLog services" of this tutorial), SexiLog is based on several components including: logstash and elasticsearch.
Logstash takes care of parsing the data present in the logs received from your VMware ESXi host and from your VMware vCenter Server (VCSA).
Then, the data parsed by logstash is sent to Elasticsearch to be stored in fields (boxes).
To understand why the logs of your VCSA server are not interpreted correctly, you must go to the configuration of the Elasticsearch component.
To do this, go to the address “http://[IP address of SexiLog]/_plugin/head”.
On the "Elasticsearch" page that appears, you will see:
In the "Browser" tab you will see that an "esxi" type is present.
But, the type "vcsa" (for VCSA 5.x) or "vcsa6" (for VCSA 6.x) is missing.
Indeed, these types are not included by default, but are available on the official SexiLog GitHub.
To begin, connect by SSH to your SexiLog virtual machine (via PuTTY on Windows, for example).
Ignore the security warning by clicking Accept, since this is the first time you are connecting to SexiLog via SSH.
Log in as "root".
As a reminder, the default identifiers are "root / Sex!Log".
Note that the keyboard used here is yours and not the one defined for the "SexiLog" VM console.
Once logged in as "root", the SexiMenu will automatically appear.
In fact, it appears automatically when you connect to the console or via SSH.
To access the Linux Shell, you will therefore have to use option 1.
Once the Shell appears, go to the "/etc/logstash/conf.d/" folder.
Bash
cd /etc/logstash/conf.d/
Next, list the configuration files that are located in this folder:
Bash
ls -la
As you can see, no config files for "vcsa" or "vcsa6" appear in the list.
Plain Text
total 68 drwxrwxr-x 2 root root 4096 Mar 31 2015 . drwxrwxr-x 3 root root 4096 Mar 11 2015 .. -rw-r--r-- 1 root root 3132 Mar 31 2015 filter-json-vcenter.conf -rw-r--r-- 1 root root 24732 Mar 31 2015 filter-syslog-esxi.conf -rw-r--r-- 1 root root 3648 Mar 31 2015 filter-syslog-snmp.conf -rw-r--r-- 1 root root 120 Mar 31 2015 input-json-eventlog.conf -rw-r--r-- 1 root root 111 Mar 31 2015 input-json-vcenter.conf -rw-r--r-- 1 root root 54 Mar 31 2015 input-syslog-esxi.conf -rw-r--r-- 1 root root 60 Mar 31 2015 input-syslog-snmp.conf -rw-r--r-- 1 root root 75 Mar 31 2015 output-elasticsearch.conf -rw-r--r-- 1 root root 793 Mar 31 2015 output-riemann.conf
So that logstash can correctly parse the data present in the logs of your VCSA 6.x server, you will need the files: filter-syslog-vcsa6.conf and input-syslog-vcsa6.conf.
For VCSA 5.x, use the old files: filter-syslog-vcsa.conf and input-syslog-vcsa.conf.
These files look like this.
For the "input-...conf" file, it will also allow you to know which protocol and which port to use to redirect the logs from your VCSA server to SexiLog.
In this case: TCP protocol / port 1514.
Create 2 empty files using the commands:
Bash
touch input-syslog-vcsa6.conf touch filter-syslog-vcsa6.conf
Then :
Bash
vim input-syslog-vcsa6.conf
Do the same with the other file.
Bash
vim filter-syslog-vcsa6.conf
Now that the necessary configuration files have been added, return to the SexiMenu by typing:
Bash
/root/seximenu/seximenu.sh
Then use option: 4 (Restart SexiLog services).
As expected, restarting the SexiLog services will also restart the "logstash" (whose configuration files we have just modified) and "elasticsearch" (which receives the data sent by logstash) components.
Type "y" and press Enter.
SexiLog services have been restarted.
Press Enter.
Use the "0 (Logout)" option to log out and close this SSH session.
If you return to the Elasticsearch configuration (using the address "http://[IP address of SexiLog]/_plugin/head"), you will see that a new type "vcsa6" (for VCSA 6.x) or "vcsa" (for VCSA 5.x) appeared in the "Browser" tab.
As you can see, events from your VMware vCenter Server (VCSA) logs are now correctly interpreted.
In our case, we see our host "vcsa" appear in the "hostname" column for events coming from our server "VMware vCenter Server (VCSA)".
The "localhost.localdomain" host for other events is the default hostname for VMware ESXi hypervisors.
If you deploy an event from your VMware vCenter Server (VCSA), you will find this information, among other things:
If you look in the different dashboards (and in particular the "Kommandantur" dashboard), you will see that many additional alerts and/or events have appeared.
For the "Kommandantur" dashboard, you will see that a new host (vcsa.informatiweb.lan in our case) has appeared in the "hostname" list (under the graph).
If you return to the SexiLog home page (via the house icon at the top right of the page), you may be able to find the test message previously sent from your VMware vCenter Server (VCSA).
If you view the details of this event, you will see that it contains the tag "vcenter" and that the type used is now "vcsa6".
Which confirms that the logstash is now configured correctly.
VMware 1/20/2023
VMware 6/26/2024
VMware 2/23/2024
VMware 5/1/2024
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
No comment