Log Collection Using VSphere Elastic Agent Integration

[sanjaruzic]

• I have a few questions about the vSphere Integration, more specifically about collecting the logs part

• From our documentation:

1. This integration periodically fetches logs and metrics from vSphere vCenter servers.
   This is a bit confusing since we create a listener on our side, so it's more about receiving than fetching

2. To access the logs, from the Kibana UI, you have to specify the network-accessible IP address of the host where the Elastic Agent will be deployed.
   (connected to the point 1.) - In this case, the user would have to configure syslog forwarding to the IP:port of the machine the Elastic Agent is installed on and that was configured in the integration. But this is not quite clear in the documentation, so it would be great if we could add more information here?

3. Also, I'm not an expert in this area, but this seems to be a way to enable the log forwarding from the vSphere: https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.vcsa.doc/GUID-9633A961-A5C3-4658-B099-B81E0512DC21.html

• We have the following field defined that mentions alerts:
  event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events.

But I'm not sure what alerts mean in this context and if it is possible to include alarms data in vSphere syslog and if this is the case, if we can parse them or not with our integration.

[jvalente-salemstate]

I agree. I am actually in the process of getting system configurations ready so I can enable a few integrations, including vSphere. The need for syslog for the logs data stream isn't apparent from this, meaning someone would need to go back and get the syslog forwarding working once they go to enable the integrations. It would be good to know this beforehand.

Looking at the sample logs and what's being parsed, some documentation on what needs to be enabled in vSphere / ESXi would be great too. It seems there is syslog from the ESXi hosts and vCenter itself. The latter is covered in the link you shared but remote syslog needs to be set up in the ESXi configuration.

[botelastic]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry! We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!

[drummbelbummel]

Hello, same problem here.
I expected syslog data but the agent is giving me an error:
I did not see an option to specify the vcenter server nor credentials to access it.

[elastic_agent][warn] Unit state changed vsphere/metrics-default-vsphere/metrics-vsphere-xxxxxxxx-2ae5-xxxxxxxx-xxxxxxxxxxxxxxxx (STARTING->DEGRADED): Error fetching data for metricset vsphere.resourcepool: error in NewClient: Post "https://127.0.0.1:8989/sdk": dial tcp 127.0.0.1:8989: connect: connection refused