How to validate vRealize Log Insight 4.x is receiving syslog events from clients
Article ID: 324360
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- vRealize Log Insight is not receiving syslog events as expected from syslog clients.
- Validation that vRealize Log insight is receiving the syslog events is needed.
Environment
VMware vRealize Log Insight 4.x
Resolution
To validate if vRealize Log Insight is receiving events at a network level we can enable the use of tcpdump by following the below steps
- SSH to each node in the vRealize Log Insight Cluster.
- Run the below command on each node.
tcpdump -nAs0 -i eth0 host <syslog_client_IP> and port syslog | grep -i -B1 <searching_event_pattern>
Note: replace <syslog_client_IP> and <searching_event_pattern> with the correct values as needed. You can additionally remove | grep -C10 -i <searching_event_pattern> from the command to ensure we are getting any logs from the source client.
Example: tcpdump -nAs0 -i eth0 host 192.168.1.63 and port syslog | grep -i -B1 vpxa
- Watch each node to see if the events come through as expected. You can grep for specific logging level types such as DEBUG, INFO, WARN, or ERROR, or you can grep for text expected in the fields.
- If the the expected logs do not show in tcpdump, further review with networking from the syslog client to vRealize Log Insight is needed, or further review with syslog client side configuration (such as logging levels or syslog config) is needed.
Additional Information
Note: tcpdump is not included in 4.6.x and later releases. To install tcpdump for these versions, please reach out to VMware Support.
Note: Replace <host_VMK_ID>, <Log_Insight_IP>, and <searching_event_pattern> with their corresponding values. An example of this command would be: tcpdump-uw -nAs0 -i vmk1 host 172.30.0.28 | grep -i sshd.
Client Side Validation:
ESXi
To validate from ESXi if the syslogs are being sent, execute the command via SSH: tcpdump-uw -nAs0 -i <host_VMK_ID> host <Log_Insight_IP> | grep -i <searching_event_pattern>Note: Replace <host_VMK_ID>, <Log_Insight_IP>, and <searching_event_pattern> with their corresponding values. An example of this command would be: tcpdump-uw -nAs0 -i vmk1 host 172.30.0.28 | grep -i sshd.
Feedback
Yes
No
Powered by
