概要·Overview
随着RESTful API在各种应用系统中大规模应用,越多越多系统通过提供API方式来实现大规模部署,自动化运维等场景。作为VMwareSD-WAN中的控制器Velocloud Orchestrator(VCO)当然也提供大量API接口用于日常的运维中。在平台的日常运维中,需要收集各种日志来对控制平台进行监控,审计和排障。
As RESTful APIs are used on a large scale in a variety of applications, more and more systems are providing APIs to enable large-scale deployment, automated maintenance and other scenarios. As the controller in the VMware SD-WAN, the Velocloud Orchestrator (VCO) of course also provides a number of API interfaces that are used in day-to-day operations and maintenance. In the day-to-day operation and maintenance of the platform, various logs are collected to monitor, audit and troubleshoot the control platform.
本文内容为使用Splunk App通过读取VCO API方式收集VMware SD-WAN事件日志。
This article is about using the Splunk App to collect VMware SD-WAN Event Logs by reading the VCO API.
VCO平台日志分类·VCO Platform Log Classification
平台日志主要分为三类:
Platform logs are divided into three main categories:
- Velocloud应用系统层面(upload,backend,portal):主要用于Velocloud应用层面排障;可以通过VCO操作员界面中设置System Properties的相关属性,将日志转发给传统Syslog日志服务器(日志量巨大)。
Velocloud application level (upload, backend, portal): mainly used for troubleshooting at the Velocloud application level; logs can be forwarded to the traditional Syslog log server (large volume of logs) by setting the relevant properties of System Properties in the VCO operator interface. - Ubuntu系统日志:主要用于SSH登录系统登录审计,NTP时间更新等;可以通过SSH访问VCO,修改rsyslog.conf来添加Syslog日志服务器。
Ubuntu syslog: mainly used for SSH login system login auditing, NTP time updates, etc.; you can access the VCO via SSH and modify rsyslog.conf to add a Syslog logging server. - 平台事件日志:分为两种并只支持通过API方式读取
Platform event log: divided into two types and read only via API
- 平台(Operator)操作事件:主要记录平台用户登录(包括租户账户登录),属性修改,介质导入等与平台相关操作。
Operator operation events: mainly records platform user logins (including tenant account logins), property modifications, media imports and other platform-related operations. - 租户(Enterprise)操作事件:主要记录租户用户登录,配置更新,Velocloud Edge(VCE)状态变化等与租户相关的操作。
Enterprise operation events: The main record of tenant-related operations such as tenant user logins, configuration updates, Velocloud Edge (VCE) status changes, etc. are recorded.
前期准备·Preparation
- Splunk 运行环境(测试环境:Splunk Enterprise 8.1|Python 3.7|Velocloud Orchestrator 3.4.2/4.1.0)
Splunk operating environment (test environment: Splunk Enterprise 8.1|Python 3.7|Velocloud Orchestrator 3.4.2/4.1.0) 
vmware_sdwan_event](https://github.com/kc-roger/vmware_sdwan_event "vmware_sdwan_event(Splunk App)")- VCO平台账号信息:平台或是租户,最低需要平台/客户支持(Operator/Customer Support)权限
VCO platform account information: Operator or Enterprise, At least Operator/Customer Support Privileges- 用户名·Username
- 密码·Password
- VCO地址·VCO URL
操作步骤·Step
- 检查App文件,并打包整个文件夹·Check the app file and pack the entire folder
① 在Github将整个项目打包下载
Download the entire project on Github
② 新建vmware_sdwan_event文件夹,将项目所有文件放置在内
Create a new folder vmware_sdwan_event and place all the project files in it.
③ 压缩整个文件夹,文件名: vmware_sdwan_event.zip
Zip the entire folder with the file name: vmware_sdwan_event.zip
- 将Splunk App导入Splunk·Import the Splunk App into Splunk
① 打开Splunk Enterprise,点击应用——管理应用
Open Splunk Enterprise and click on Applications - Manage Applications
② 点击右侧从文件安装应用
Click install the application from a file
③ 上传文件,文件名:vmware_sdwan_event.zip
Upload file, file name: vmware_sdwan_event.zip
④ vmware_sdwan_event出现在应用列表中,并确认已启用
vmware_sdwan_event appears in the application list and confirms that it is enabled
- 数据输入添加平台账户·Data Entry Add Platform Account
① 点击左上角设置——数据输入
Click on Settings - Data entry
② 找到VMware SDWAN Event Log,并点击右侧新增
Find the VMware SDWAN Event Log and click on Add
③ 输入VCO账户信息,并点击下一步
Enter your VCO account information and click on Next.
④ 检查配置信息(默认索引:main,可以在导入App后新建索引并修改App文件参数进行修改)
Check the configuration information (default index: main, which can be changed by creating a new index and modifying the app file parameters after importing the app)
- 查看事件日志·View event log
① 在应用中选择VMware SDWAN Event
Selecting a VMware SDWAN Event in an application
② 输入过滤条件并选择时间
Enter filter conditions and select a time
Examples of filter conditions·过滤条件举例:* sourcetype=vco_event_log
③ 结果中可以查看到已获取到的事件日志
A log of the events that have been retrieved can be viewed in the results
排障·Troubleshooting
可以通过查看splunkd.log,并过滤[velocloud]进行排障
You can look at the splunkd.log and filter[velocloud]to debug the issue.
番外·Others
需要统一通过syslog服务器收集所有日志,所以需要将Splunk收集的事件转发到Syslog服务器
All logs need to be collected uniformly through the syslog server, so the events collected by Splunk need to be forwarded to the Syslog server
在$Splunk HOME\etc\system\local目录下添加以下配置文件
Add the following configuration file to the $Splunk HOME\etc\system\local
以下配置只会转发VCO事件
The following configuration will only forward VCO Events
outputs.conf
[syslog]
[syslog:syslogGroup]
server = xxx.xxx.xxx.xxx:514props.conf
[vco_event_log]
TRANSFORMS-syslog = send_to_syslogtransforms.conf
[send_to_syslog]
REGEX = .
DEST_KEY = _SYSLOG_ROUTING
FORMAT = syslogGroup感谢·Thanks
本文基于VMware官方文档:Retrieving SD-WAN Event Logs with Splunk App(Guide Apr 2019)@VMware原厂SE Raynor Li提供
This article is based on official VMware documentation: Retrieving SD-WAN Event Logs with Splunk App(Guide Apr 2019).Provided by VMware SE Raynor Li
本文中使用Splunk App基于Github:djsincla/TA_VeloCloud VeloCloud Orchestrator to Splunk Plugin进行修改和优化
The Splunk App has been modified and optimised in this article based on Github:djsincla/TA VeloCloud VeloCloud Orchestrator to Splunk Plugin.
本文中翻译使用DeepL翻译
Translations in this article are made using DeepL translation.