Enabling syslog on ESXi 3.5 and 4.x

Products

VMware vSphere ESXi

Issue/Introduction

VMware vSphere ESXi 3.5 and 4.x hosts run a syslog service (syslogd) which provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to clone these logs to an alternate storage location on disk, and to send the logs across the network to a third-party syslog server.

Retention, rotation and splitting of logs received and managed by a third-party syslog server are fully controlled by that syslog server. ESXi cannot configure or control third-party log management. For more information, see the documentation for your third-party syslog server.

Regardless of the additional syslog configuration specified using these options, logs continue to be placed on the default locations on the ESXi host. For more information, see Location of ESXi log files (1021801).

Note: This article only pertains to ESXi 3.5 and 4.x. For information on configuring syslog for ESX, see Enabling syslog on ESX (1005030). For more information on configuring syslog on ESXi 5.1, see Configuring syslog on ESXi 5.x (2003322).

Environment

VMware ESXi 4.1.x Embedded
VMware ESXi 3.5.x Embedded
VMware ESXi 4.0.x Embedded
VMware ESXi 3.5.x Installable
VMware ESXi 4.1.x Installable
VMware ESXi 4.0.x Installable

Resolution

Configuration of the syslog service on ESXi can be performed from the vSphere Client, PowerCLI, or vCLI. Select the method appropriate for your environment.

Configuring Local and Remote logging using Advanced Configuration Options

The Local and Remote syslog functionality can be configured for a host using advanced configuration options, which can be set using the vSphere Client, PowerCLI, or vCLI. This configuration cannot be performed using the local console's esxcfg-advcfg command.

Syslog.Local.DatastorePath - a location on a local or remote datastore and path where logs are saved to. Has the format [datastorename] directory/filename, which maps to /vmfs/volumes/datastorename/directory/filename. If the datastore path field is blank, the logs are only placed in their default location. For ESXi 4.1, the default is []/scratch/log/messages if scratch is defined. For more information on scratch, see Creating a persistent scratch location for ESXi 4.x and 5.x (1033696). For all other cases, the default is blank.
Syslog.Remote.Hostname - a remote server's DNS name or IP address where logs are sent using the syslog protocol. If the hostname field is blank, no logs are forwarded.
Syslog.Remote.Port - a remote server's UDP port where logs are sent using the syslog protocol. Default is port 514.

For more information on setting advanced configuration options using each method, see Configuring advanced options for ESX/ESXi (1038578).

Configuring Remote logging using the vSphere Command Line Interface

The Remote syslog functionality can be configured from the vCLI using the vicfg-syslog command, which is installed with the vSphere Management Assistant appliance. For more information, see the Syslog Service Specification with vicfg-syslog section of the vSphere Command-Line Interface Installation and Reference Guide or the vSphere Management Assistant Documentation.

Open a console at the location the vCLI is installed, or login to the vMA.
Determine the current configuration using the command:

vicfg-syslog --server ESXiHostnameOrIP --username MyUsername --password MyPassword --show

For example:

vicfg-syslog --server esxhost1 --username root --password MyPassword --show
Set the hostname or IP address and port of the remote syslog server using the command:

vicfg-syslog --server ESXiHostnameOrIP --username MyUsername --password MyPassword --setserver SyslogHostnameOrIP --setport PortNumber

For example:

vicfg-syslog --server esxhost1 --username root --password MyPassword --setserver 10.5.0.200 --setport 514

Note: To remove the remote syslog configuration, set the remote syslog server name to a blank string "".
Validate the configuration change by repeating step 2.

Configuring Remote logging using PowerCLI

The Remote syslog functionality can be configured using PowerCLI using the Set-VMHostSysLogServer command. For more information, see the vSphere PowerCLI documentation.

Connect to the vCenter Server or ESXi host using the command:

Connect-VIServer HostnameOrIP
Determine the current configuration using the command:

Get-VMHost ESXHostnameOrIP | Get-VMHostSysLogServer

Note: A blank result indicates that the syslog server is not configured for the specified host.
Set the hostname or IP address and port of the remote syslog server using the command:

Get-VMHost ESXHostnameOrIP | Set-VMHostSysLogServer -SysLogServer SyslogHostnameOrIP -SysLogServerPort PortNumber

For example:

Get-VMHost esxhost1 | Set-VMHostSysLogServer -SysLogServer 10.5.0.200 -SysLogServerPort 514

Note: To remove the remote syslog configuration, set the remote syslog server name to $null.
Validate the configuration change by repeating step 2.

Notes:

To reload changes to the syslog configuration file, use the command: kill -HUP $(cat /var/run/syslogd.pid)from an ESXi host command prompt.

If no process is found from the above command, start the syslog service using the command syslogd .

To retrieve or set the syslog configuration for multiple ESXi hosts at the same time, use Get-VMHost to query for multiple hosts within a data center or cluster. For more information, see the Get-VMHost section of the PowerCLI commandlet reference.

Additional Information

The syslog configuration is stored in the file /etc/syslog.conf, in the format:

logfile=/vmfs/volumes/datstoreuuid/directory/filename loghost=SyslogHostnameOrIP:PortNumber

Enabling syslog on ESX
Location of ESXi 3.5-4.1 log files
Creating a persistent scratch location for ESXi 4.x/5.x/6.x
Habilitando el syslog en ESXi
Configuring advanced options for ESXi/ESX
Configuring syslog on ESXi
ESXi 3.5 および 4.x での syslog の有効化
在 ESXi 3.5 和 4.x 中启用 syslog