Extracting the log file after an ESX or ESXi host fails with a purple screen error (1006796)

This article provides steps to extract a log from a vmkernel-zdump file after a purple diagnostic screen error. This log contains similar information to that seen on the purple diagnostic screen and can be used in further troubleshooting.

This article assumes that a vmkernel-zdump file is available. If an ESX or ESXi host has failed with a purple diagnostic screen, but no vmkernel-zdump file is available, see:
Note: For generating a VMkernel zdump manually from a dump file in ESXi 5.5, see Generating a VMkernel zdump manually from a dump file in ESXi 5.5 (2081902).
To resolve this issue, extract the log file from a vmkernel-zdump file using a command line utility on the ESX or ESXi host. This utility differs for different versions of ESX or ESXi.
  • For ESX 3.x use the vmkdump utility:

    # vmkdump -l vmkernel-zdump-filename
  • For ESXi 3.5, ESXi/ESX 4.x and ESXi 5.x, use the esxcfg-dumppart utility:

    # esxcfg-dumppart -L vmkernel-zdump-filename
To extract the log file from a vmkernel-zdump file:
  1. Find the vmkernel-zdump file in the /root/ or /var/core/ directory:

    # ls /root/vmkernel* /var/core/vmkernel*

  2. Use the vmkdump or esxcfg-dumppart utility to extract the log. For example:

    # vmkdump -l /var/core/vmkernel-zdump-073108.09.16.1
    created file vmkernel-log.1

    # esxcfg-dumppart -L /var/core/vmkernel-zdump-073108.09.16.1
    created file vmkernel-log.1

  3. The vmkernel-log.1 created above is a file in plain text that you can read with a text editor, though may start with null characters. Focus on the end of the log, which is similar to:

    VMware ESX Server [Releasebuild-98103]
    PCPU 1 locked up. Failed to ack TLB invalidate.
    frame=0x3a37d98 ip=0x625e94 cr2=0x0 cr3=0x40c66000 cr4=0x16c
    es=0xffffffff ds=0xffffffff fs=0xffffffff gs=0xffffffff
    eax=0xffffffff ebx=0xffffffff ecx=0xffffffff edx=0xffffffff

  4. For troubleshooting the cause of the purple diagnostic screen, see Interpreting an ESX host purple diagnostic screen (1004250).
Note: The file name created for the log in this example is vmkernel-log.1. If another file with the same name already exists, the new file is created with the number suffix incremented.

