How to forward Vmware ESXi 5.x and 6.x host logs to central log server

What is Syslog :-

Syslog is a standard for message logging. It permits separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity label.

Why Need to setup Central Log Server :-


In Today's computing generation, We need to check Asset logs time to time to know what is going on.

For a System Administrator, it is a primary responsibility to Check logs. Central Log server provide facility to store logs to a central location and analysis them when required.

In this blog How to setup, Central log server to forward ESXi host's logs.

1- Setup Central log server first :-


To setup Central Log Server please visit my previous blog-

https://vhostingvn.blogspot.ca/2016/07/how-to-setup-central-log-server.html


2- ESXi host side configuration :- 

We can make required changes with two methods:-


a) using command esxcli 
b) Using Vshpere Client Console.


A) Let's enable setting using CLI method.



First, connect ESXi host using putty.

3- To check Version of running ESXi run command.
[root@localhost:~] esxcli --version
Script 'esxcli' version: 6.0.0



4- Display current Syslog configuration :-

[root@localhost:~] esxcli system syslog config get

   Default Network Retry Timeout: 180
   Dropped Log File Rotation Size: 100
   Dropped Log File Rotations: 10
   Enforce SSLCertificates: false
   Local Log Output: /scratch/log
   Local Log Output Is Configured: false
   Local Log Output Is Persistent: true
   Local Logging Default Rotation Size: 1024
   Local Logging Default Rotations: 8
   Log To Unique Subdirectory: false
   Message Queue Drop Mark: 90
   Remote Host:

   [root@localhost:~]

In above output, you can see default log path and no remote host is set to accept log.

5- Add remote host to accept logs.


esxcli system syslog config set --loghost='udp://192.168.138.129:514'

[root@localhost:~] esxcli system syslog config set --loghost='udp://192.168.138.129:514'

Where 192.168.138.129 is Central Log Serve IP Address

514 is Syslog port.

6- Reload Syslog configuration to applied changes.


[root@localhost:~] esxcli system syslog reload




7- Enable firewall and allow Syslog outgoing port.

By default ESXi 5.x and 6.x blocked outgoing to all port which is not required to increase security.

Use below command to open Syslog port.

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

[root@localhost:~] esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true


8- To Apply changes reload firewall configuration.

[root@localhost:~] esxcli network firewall refresh



9- Let's check changed configuration.


[root@localhost:~]  esxcli system syslog config get



   Default Network Retry Timeout: 180

   Dropped Log File Rotation Size: 100

   Dropped Log File Rotations: 10

   Enforce SSLCertificates: false

   Local Log Output: /scratch/log

   Local Log Output Is Configured: false

   Local Log Output Is Persistent: true

   Local Logging Default Rotation Size: 1024

   Local Logging Default Rotations: 8

   Log To Unique Subdirectory: false

   Message Queue Drop Mark: 90

   Remote Host: udp://192.168.138.129:514

   [root@localhost:~]


In above output, Now you can see remote logging server has been added.

10- Let's analysis ESXi host log on Central log server.

Login to log server using putty.

root@LXD:~# ls -l /var/log/centrallog/
total 20


drwx------ 2 syslog syslog 4096 Jul 26 20:23 localhost.localdomain

In above output, one directory with ESXi host name exist, which contain all logs of this ESXi host.
11- To check current log use below command.

root@LXD:~# tail -f /var/log/centrallog/localhost.localdomain/syslog.log


2016-07-29T07:49:08.670Z localhost.localdomain Hostd: -->    maxObjectUpdates = 100

2016-07-29T07:49:08.670Z localhost.localdomain Hostd: --> }

2016-07-29T07:49:08.672Z localhost.localdomain Hostd: info hostd[3114CB70] [Originator@6876 sub=Solo.Vmomi opID=8ca22758 user=root] Throw vmodl.fault.RequestCanceled

2016-07-29T07:49:08.672Z localhost.localdomain Hostd: info hostd[3114CB70] [Originator@6876 sub=Solo.Vmomi opID=8ca22758 user=root] Result:

2016-07-29T07:49:08.672Z localhost.localdomain Hostd: --> (vmodl.fault.RequestCanceled) {

2016-07-29T07:49:08.672Z localhost.localdomain Hostd: -->    faultCause = (vmodl.MethodFault) null,

2016-07-29T07:49:08.672Z localhost.localdomain Hostd: -->    msg = ""

2016-07-29T07:49:08.672Z localhost.localdomain Hostd: --> }

2016-07-29T07:49:08.673Z localhost.localdomain Hostd: error hostd[FFEE2A70] [Originator@6876 sub=SoapAdapter.HTTPService.HttpConnection] Failed to read header on stream , >: N7Vmacore15SystemExceptionE(Connection reset by peer)

2016-07-29T07:49:08.674Z localhost.localdomain Rhttpproxy: verbose rhttpproxy[FFCF0B70] [Originator@6876 sub=Proxy Req 00111] Resolved endpoint : [N7Vmacore4Http16LocalServiceSpecE:0x4452ad78] _serverNamespace = /sdk _isRedirect = true _port = 8307



B ) Enable Syslog server Setting using VMware vSphere Client.


1- Connect Esxi Host using vSphere client.




2- Add Log Server IP address

Select ESXi host in vSphere console.




Go to Configuration Tab



Select Advanced Setting under Software section from left side Action menu.




Select Syslog from left side menu Add Syslog Server address (udp://192.168.138.129:514) in syslog.globle.logHost section.



Close configuration menu and click on Ok button.


3- Allow Syslog port from Firewall.

Go to Configuration Tab




Select Security Profile from left side.



Select Firewall Properties.



Select the Check box of Syslog and apply changes.




4- Required changes have made successfully on ESXi host.

Let's login to Log server and Check log's file.




That's All


!!! Cheers !!!