Syslog:

VMware vSphere ESXi 5.0 and higher hosts run a Syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk and to send the logs across the network to a Syslog server.

Retention, rotation, and splitting of logs received and managed by a Syslog server are fully controlled by that Syslog server. ESXi cannot configure or control log management on a remote Syslog server. For more information, see the documentation for the Syslog server.

Earlier versions of vSphere ESXi are configured differently. For more information, see Enabling syslog on ESXi 3.5 and 4.x.

Syslog Location:

Regardless of the additional Syslog configuration specified using these options, logs continue to be placed on the default locations on the ESXi host. For more information, see the Location of ESXi 3.5-4.1 log files or Location of ESXi 5.1 and 5.5 log files.

If vSphere Syslog Collector is used to receive logs from ESXi hosts, see the Install or Upgrade vSphere Syslog Collector section of the vSphere Installation and Setup Guide. or the VMware Syslog Service section of the ESXi and vCenter Server 6.0 Documentation Guide.

VMware ESX 4.0.x
VMware ESXi 4.0.x Installable
VMware ESX Server 3.5.x
VMware ESX 4.1.x
VMware vSphere ESXi 6.0
VMware ESXi 3.5.x Installable
VMware ESXi 3.5.x Embedded
VMware vSphere ESXi 5.1
VMware vSphere ESXi 7.0.0
VMware ESXi 4.1.x Installable
VMware vSphere ESXi 5.0
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 6.7
VMware ESXi 4.0.x Embedded
VMware vSphere ESXi 6.5
VMware ESX Server 3.0.x
VMware vSphere ESXi 5.5

Configuration of the Syslog service on ESXi 5.x and 6.0 can be performed using Host Profiles, the vCLI, or the Advanced Configuration options in the vSphere Client/vSphere Web Client. Select the most appropriate method for your environment. Configuration cannot be performed by running the vicfg-syslog command.

There are five configurable options:

• Syslog.global.logDir - Location on a local or remote datastore (VMFS, NFS, FAT) and path where logs should be saved to. Has the format [DatastoreName] DirectoryName which maps to /vmfs/volumes/DatastoreName/DirectoryName/.
  • If the specified DirectoryName does not exist, it will be created in ESXi 6.5 and below versions. However, for ESXi 6.7 and above versions, the log directory must exist before configuring the global logging dir parameter. If the specified DirectoryName does not exist, configuring Syslog.global.logDir parameter will fail with "Internal error" in UI and "Logdir must exist and be a directory" error message in log file /var/run/log/hostd.log.
  • If /scratch is defined, the default is []/scratch/log. For more information on scratch, see Creating a persistent scratch location for ESXi 7.x/6.x/5.x/4.x.
• Syslog.global.logHost - Comma-delimited list of remote servers where logs are sent using the syslog protocol. If the logHost field is blank, no logs are forwarded. Include the protocol and port, similar to tcp://hostname:514 or udp://hostname:514 or ssl://hostname:1514.
• Syslog.global.logDirUnique - A boolean option which controls whether a host-specific directory is created within the configured logDir. The directory name is the hostname of the ESXi host. A unique directory is useful if the same shared directory is used by multiple ESXi hosts. Defaults to false.
• Syslog.global.defaultRotate - The maximum number of log files to keep locally on the ESXi host in the configured logDir. Does not affect remote syslog server retention. Defaults to 8.
• Syslog.global.defaultSize - The maximum size, in kilobytes, of each local log file before it is rotated. Does not affect remote syslog server retention. Defaults to 1024 KB. For more information on sizing, see Providing Sufficient Space for System Logging.
  
  Note: To individually set the logging level for system components such as auth, hostd etc., you may select the loggers under syslog from vSphere client GUI and set to desired value.

Configuring Local and Remote Logging using the esxcli command

Local and Remote syslog functionality can be configured for a host using the esxcli command line utility, which can be used at the console of an ESXi host, in the vCLI, or in the vMA.

For more information regarding the use of esxcli, see the vSphere Command-Line Interface Documentation.

1. Open a ESXi Shell console session where the esxcli command is available, such as the vCLI or on the ESXi host directly.
2. Display the existing five configuration options on the host by running this command:
   esxcli system syslog config get
3. Set new host configuration, specifying options to change, by running a command:
   esxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-unique=true|false --default-rotate=NNN --default-size=NNN
   For example:
   To configure remote syslog using TCP on port 514: esxcli system syslog config set --loghost='tcp://10.11.12.13:514'
   
   Note: When using Syslog with UDP on ESXi 5.0, you must download and install the patch VMware ESXi 5.0, Patch ESXi-5.0.0-20120704001-standard.
4. After making configuration changes, load the new configuration by running this command:
   esxcli system syslog reload
5. Run this command to test if the port is reachable from the ESXi host:
   nc -z RemoteHostname 514
   For example:
   nc -z 10.11.12.13 514

Configuring Local and Remote logging using Host Profiles

Local and Remote syslog functionality can be configured for a cluster of similar hosts using Host Profiles. For more information, see the Set Up Syslog from the Host Profiles Interface section of the vSphere Installation and Setup Guide.

1. Connect to vCenter Server using the vSphere Client.
2. Click Home.
3. Under the Management section, click Host Profiles.
4. Create a new profile or edit an existing profile.
5. In the Edit Profile dialog, set one or more of the five configuration options.
    
   • If you configured syslog using esxcli or advanced configuration options and captured this as a reference host, the 5 configuration options are already visible under the Advanced Configuration option section.
   • If syslog has not been previously configured, right-click the Advanced Configuration options section and add a profile for each of the five configuration options.
6. Save the profile and assign it to hosts.

Configuring Local and Remote logging using Host Profiles using vSphere Web Client

1. Connect to vCenter Server using vSphere Web Client.
2. Click Home.
3. Under Operations and Policies section, click Host Profiles.
4. Create a new profile or edit an existing profile.
5. In the Edit Profile dialog, set one or more of the five configuration options.
6. Save the profile and assign it hosts.

For more information on configuring syslog using vSphere Web Client without host profile, see the Configure Syslog on ESXi Hosts section in vSphere 6.0 Documentation.

Configuring Local and Remote Logging using Advanced Configuration options

Local and Remote syslog functionality can be configured for a host using advanced configuration options, which can be set using the vSphere Client, vSphere Web Client, PowerCLI, or vCLI.

For more information, see the Configure Syslog on ESXi Hosts section of the vSphere Single Host Management Guide.

This configuration cannot be performed using the local console's esxcfg-advcfg command. For more information on setting advanced configuration options using each method, see Configuring advanced options for ESXi/ESX.

Note: If the ESXi host loses communication with the remote syslog server, logging Logging stops being pushed to the syslog server. You see the "failed to write log" error in the /var/log/.vmsyslogd.err file. Nothing is sent to the remote syslog server until the syslogd service is restarted.

VMware Skyline Health Diagnostics for vSphere - FAQ

Configuring ESXi Firewall Exception using the esxcli command/syslog port:

To open outbound traffic through the ESXi Firewall on UDP port 514 and TCP ports 514 and 1514, run these commands:

Additionally, you can review Port requirements for ESXi Port requirements for ESXi.
For more information see:

• Debug logs for third-party VAAI NAS plugins moved to syslog
• Restarting the Management agents in ESXi
• Enabling syslog on ESXi 3.5 and 4.x
• Location of ESXi 3.5-4.1 log files
• Creating a persistent scratch location for ESXi 4.x/5.x/6.x
• Configuring advanced options for ESXi/ESX
• Installing the HA Agent fails on all hosts, except one
• VMware ESXi 5.0, Patch ESXi-5.0.0-20120704001-standard
• Location of ESXi 5.1 and 5.5 log files
• ESXi 上での syslog の構成
• Configurando syslog no ESXi
• Configurar syslog en ESXi
• 在 ESXi 上配置 syslog
• Konfigurieren von syslog in ESXi 5.x und 6.0