Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configuring syslog on ESXi 5.x (2003322)

Purpose

VMware vSphere ESXi 5.x hosts run a syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk, and to send the logs across the network to a syslog server.

Retention, rotation and splitting of logs received and managed by a syslog server are fully controlled by that syslog server. ESXi 5.x cannot configure or control log management on a remote syslog server. For more information, see the documentation for the syslog server.

Regardless of the additional syslog configuration specified using these options, logs continue to be placed on the default locations on the ESXi host. For more information, see Location of ESXi 3.5-4.1 log files (1021801).

Previous version of vSphere ESXi are configured differently. For more information, see Enabling syslog on ESXi 3.5 and 4.x (1016621).

If vSphere Syslog Collector will be used to receive logs from ESXi hosts, see:

Resolution

Configuration of the syslog service on ESXi 5.x can be performed using Host Profiles, the vCLI, or the Advanced Configuration options in the vSphere Client.

Select the method most appropriate for your environment. Configuration cannot be performed using the vicfg-syslog command.

Note: When configuring the syslog service, choose one of the following VMFS volume, NFS, FAT or Ramdisk that the ESXi host holds write access upon. If using a shared repository for logging between multiple hosts, the hosts must log to their own unique directory within the repository.

There are five configurable options. This table outlines the options:
 
Option Description
Syslog.global.logDir
A location on a local or remote datastore and path where logs are saved to. Has the format [DatastoreName] DirectoryName/Filename, which maps to /vmfs/volumes/DatastoreName/DirectoryName/Filename. The [DatastoreName] is case sensitive and if the specified DirectoryName does not exist, it will be created. If the datastore path field is blank, the logs are only placed in their default location. If /scratch is defined, the default is []/scratch/log. For more information on scratch, see Creating a persistent scratch location for ESXi (1033696). For all other cases, the default is blank.
Syslog.global.logHost A remote server where logs are sent using the syslog protocol. If the logHost field is blank, no logs are forwarded. Include the protocol and port, similar to tcp://hostname:514 or udp://hostname:514
Syslog.global.logDirUnique A boolean option which controls whether a host-specific directory is created within the configured logDir. The directory name is the hostname of the ESXi host. A unique directory is useful if the same shared directory is used by multiple ESXi hosts. Defaults to false.
Syslog.global.defaultRotate The maximum number of log files to keep locally on the ESXi host in the configured logDir. Does not affect remote syslog server retention. Defaults to 8.
Syslog.global.defaultSize
The maximum size, in kilobytes, of each local log file before it is rotated. Does not affect remote syslog server retention. Defaults to 1024 KB. For more information on sizing, see Providing Sufficient Space for System Logging.

Configuring Local and Remote Logging using the esxcli command

Local and Remote syslog functionality can be configured for a host using the esxcli command line utility, which can be used at the console of an ESXi host, in the vCLI, or in the vMA.

For more information regarding the use of esxcli, see Configuring ESXi Syslog Services in the vSphere Command-Line Interface Documentation.

  1. Open a ESXi Shell console session where the esxcli command is available, such as the vCLI or on the ESXi host directly.
  2. Display the existing five configuration options on the host using the command:

    esxcli system syslog config get

  3. Set new host configuration, specifying options to change, using a command similar to:

    esxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-unique=true|false --default-rotate=NNN --default-size=NNN

    For example, to configure remote syslog using TCP on port 514:

    esxcli system syslog config set --loghost='tcp://10.11.12.13:514'

    To configure remote syslog using UDP on port 514:

    esxcli system syslog config set --loghost='udp://10.11.12.13:514'

    Note: In ESXi 5.0, you must download a patch on the ESXi host if you are using syslog with UDP. For more information, see VMware ESXi 5.0, Patch ESXi-5.0.0-20120704001-standard (2019113).


  4. After making configuration changes, load the new configuration using the command:

    esxcli system syslog reload

    Note: This command may be used to restart the syslog service if and when the service is stopped.

Configuring Local and Remote logging using Host Profiles

Local and Remote syslog functionality can be configured for a cluster of similar hosts using Host Profiles. For more information, see the Set Up Syslog from the Host Profiles Interface section of the vSphere Installation and Setup guide.

  1. Connect to the vCenter Server using the vSphere Client.
  2. Click Home.
  3. Under the Management section, click Host Profiles.
  4. Create a new profile, or edit an existing profile.
  5. In the Edit Profile dialog, set one or more of the five configuration options.

    • If you configured syslog using esxcli or advanced configuration options, and captured this as a reference host, the 5 configuration options are already visible under the Advanced Configuration option section.

    • If syslog has not been previously configured, right-click the Advanced Configuration options section and add a profile for each of the five configuration options.

  6. Save the profile and assign it to hosts.  

Configuring Local and Remote Logging using Advanced Configuration options

Local and Remote syslog functionality can be configured for a host using advanced configuration options, which can be set using the vSphere Client, PowerCLI, or vCLI. For more information on configuring Syslogging using the Advanced Configuration options, see the Configure Syslog on ESXi Hosts section of the vSphere Single Host Management guide.
 
This configuration cannot be performed using the local console's esxcfg-advcfg command. For more information on setting advanced configuration options using each method, see Configuring advanced options for ESX/ESXi (1038578).

Note: If the host loses communication with the remote syslog server. Logging stops being pushed to the syslog server. There will be an error in /var/log/.vmssyslogd.err: failed to write log. Nothing is sent to the remote syslog server until the syslogd service is restarted.

Additional Information

Configuring ESXi Firewall Exception using the esxcli command

Note: You may need to manually open the Firewall rule set for syslog when redirecting logs. It seems that, for UDP traffic this firewall rule has no effect in ESXi 5.0 build 456551, and the UDP port 514 traffic flows regardless.

To open outbound traffic via the ESXi Firewall on UDP port 514, TCP port 514 and 1514, use the following commands:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh

Notes:

Tags

configuring-syslog

See Also

Update History

03/18/2013 - Added an example to configure UDP with the esxcli command and a link to the patch for 5.0

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 35 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 35 Ratings
Actions
KB: