ESX/VMware Syslog Collector
< ESX
VMware Syslog Collector
Installation Defaults
Install vSphere Syslog Collector to:
C:\Program Files (x86)\VMware\VMware Syslog Collector\
vSphere Syslog Collector Configuration:
- Repository directory:
C:\Documents and Settings\All Users\Application Data\VMware\VMware Syslog Collector\Data\ # I like to change to: C:\syslog\
- Size of log file before rotation: 2MB
- Log rotations to keep: 8 (I like to change to 30)
vSphere Syslog Collector Server Port:
514 (TCP Protocol and UDP Protocol)
vSphere Syslog Collector Server SSL Port:
1514 (Secure connection (SSL))
Configure ESXi 5.0 Server
Display the existing 5 configuration options on the host using the command:
esxcli system syslog config get
Default settings:
Default Rotation Size: 1024 Default Rotations: 8 Log Output: /scratch/log Log To Unique Subdirectory: false Remote Host: <none>
Set new host configuration, specifying options to change, using a command similar to:
# reset to defaults for i in default-rotate default-size logdir loghost ; do esxcli system syslog config set --reset $i ; done esxcli system syslog config set --default-size=1024 --default-rotate=8 --logdir=/scratch/log --logdir-unique=false
Remote log hosting:
# Get configuration esxcli system syslog config get
# to configure remote syslog using TCP on port 514: #esxcli system syslog config set --loghost='tcp://10.10.47.100:514' #esxcli system syslog config set --loghost=10.10.47.100 esxcli system syslog config set --loghost=esxlogger
# may need to adjust the firewall too esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true esxcli network firewall refresh
# After making configuration changes, load the new configuration using the command: esxcli system syslog reload
Example of configured setup:
# esxcli system syslog config get Local Log Output: <none> Local Logging Default Rotation Size: 1024 Local Logging Default Rotations: 8 Log To Unique Subdirectory: false Remote Host: esxlogger.oeey.com
These can also be set from the GUI:
- vSphere Client GUI > Configuration > Software > Advanced Settings > Syslog.global.logHost
- vSphere Client GUI > Configuration > Software > Security Profile > Firewall > syslog
Send message:
# normally logged to /var/log/vmkernel.log and /var/log/syslog.log and /var/log/*.log too! esxcli system syslog mark --message="this is a message"
You can also test sending a message with:
nc 10.10.47.100 514 telnet 10.10.47.100 514 ... message ...
VCSA check service:
/etc/init.d/syslog-collector status # config file: /etc/syslog-ng/syslog-collector.conf
References:
- vSphere Documentation Center - Logging in vSphere 5.0
- VMware KB: Configuring syslog on ESXi 5.0 - http://kb.vmware.com/kb/2003322