Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Configure ESXi Syslog to LEM

Configure ESXi Syslog to LEM

Table of contents

Updated April 9, 2018

Overview

This article will help with configuring ESXi to syslog to LEM.

If anything here conflicts with VMware documentation, use VMware documentation as the definitive source.

Environment

  • All LEM versions

Steps

To graphically configure the ESXi server to syslog, make the following changes.

  1. Open a browser to Vsphere or the ESXi client access to ESXi.
  2. In the vSphere Web Client inventory, select the host.
  3. Click the Manage tab.
  4. In the System panel, click Advanced System Settings.
  5. Locate the Syslog section of the Advanced System Settings list.
  6. To set up logging globally, select the setting to change and click the Edit icon
         enter udp://LEM-appliance-ip-or-hostname:514

         (steps 7 & 8 define ESXi firewall rule to allow syslog output to LEM.)
  7. Select the configuration tab click the Security Profile menu, then on the Firewall section click Properties.
  8. Scroll down until you find the syslog rule. Check the box next to it and click OK

     

ESXi command line to configure syslog.

     esxcli system syslog config set --loghost=<LEM-ip-address-or-hostname>:514
               (assume LEM ip is 10.2.3.4, replace <LEM-ip-address-or-hostname>  with  udp://10.2.3.4:514)
     esxcli system syslog reload

     other commands:
          esxcli syswtem syslog config get          (this will display how it is set)
          esxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-unique=true|false --default-rotate=NNN --default-size=NNN       (entire command if needed)
 

 

https://docs.vmware.com/en/VMware-vS...etup-guide.pdf

-----
 

Troubleshooting syslog not being sent from the ESXi server:

  1. Check the service:   ps -Cuv | grep vmsyslogd
  2. or look at the log on ESXi:   /var/log/.vmsyslogd.err/var/log/.vmsyslogd.err
  3. start the service:  /usr/lib/vmware/vmsyslog/bin/vmsyslogd
  4. load the syslog config:  esxcli system syslog reload
    full command:  (esxcli [--hostname --username] system syslog reload)


        nc -z 10.11.12.13 514       (run on ESXi, to test if ESXi can reach LEM (10.11.12.13) udp port 514)


 

When ESXi is syslogging to LEM, any of the following LEM logs could contain alerts:

     local4.log     (typically the VMware ESXi Hostd connector)
     local6.log     (typically the VMware ESXi Vmkernel connector)
     auth.log     (typically the VMware ESXi messages connector) (typically the VMware ESXi messages connector
     cron.log     (typically the VMware ESXi messages connector)
     daemon.log     (typically the VMware ESXi messages connector)
     kern.log     (typically the VMware ESXi messages connector)
     mail.log     (typically the VMware ESXi messages connector)
     syslog.log     (typically the VMware ESXi messages connector)
     user.log     (typically the VMware ESXi messages connector)
     vmkwarning     (typically the VMware ESXi Vmkwarning connector)

The above logs can be viewed from  a Vsphere/Hyper-V console (or putty session), "checklogs" command under the "appliance" menu, or with the help of support.
 

-----
 

Vsphere 6.0 - https://docs.vmware.com/en/VMware-vS...E0512DC21.html

 

Vsphere does allow changing the level of events syslogged.

Verify that the user you use to log in to the vCenter Server instance is a member of the SystemConfiguration.Administrators group in the vCenter Single Sign-On domain.
Procedure

    Log in as administrator@your_domain_name to the vCenter Server instance in the vCenter Server Appliance by using the vSphere Web Client.
    On the vSphere Web Client Home page, click System Configuration.
    Under System Configuration click Nodes and select a node from the list.
    Click the Related Objects tab.

    From list of services running in the node you selected, Right-click VMware Syslog Service, select Settings, Click Edit.
    From the Common Log Level drop-down menu select the log files to redirect:

        info - Only informational log files are redirected to the remote machine.
        notice - Only notices are redirected to the remote machine., & Notice indicates normal but significant condition.
        warn - Only warnings are redirected to the remote machine.
        error - Only error messages are redirected to the remote machine.
        crit - Only critical log files are redirected to the remote machine.
        alert - Only alerts are redirected to the remote machine., & Alert indicates that action must be taken immediately.
        emerg - Only emergency log files are redirected to the remote machine. (Emergency indicates that the system stopped responding and cannot be used.)

    In the Remote Syslog Host text box, enter the FQDN or IP address of the machine on which you want to export the log files.
    In the Remote Syslog Port text box enter the port number to use for communication with the machine on which you want to export the log files.
    From the Remote Syslog Protocol drop-down select the protocol to use.
      select OK, and From the Actions menu, click Restart so that the configuration changes are applied.

 

For reference, here are some of the logs kept on ESXi:
    /var/log/auth.log: ESXi Shell authentication success and failure.
    /var/log/dhclient.log: DHCP client service, discovery, lease requests/renewals.
    /var/log/esxupdate.log: ESXi patch and update installation logs.
    /var/log/lacp.log: Link Aggregation Control Protocol logs.
    /var/log/hostd.log: Host mgmt-service, vm/host tasks, VSphere/vCenter-comm, vpxa & SDK.
    /var/log/hostd-probe.log: Host management service responsiveness checker.
    /var/log/rhttpproxy.log: HTTP connections proxied on behalf of other ESXi host webservices.
    /var/log/shell.log: ESXi Shell usage, enable/disable and commands entered.
    /var/log/sysboot.log: Early VMkernel startup and module loading.
    /var/log/boot.gz: boot log info, read using zcat /var/log/boot.gz|more.
    /var/log/syslog.log: Mgmt service init, watchdogs, scheduled tasks and DCUI use.
    /var/log/usb.log: USB arbitration, discovery & pass-through to VMs.
    /var/log/vobd.log: VMkernel Observation events, similar to vob.component.event.
    /var/log/vmkernel.log: Core VMkernel, device discovery, storage, networking, device/driver.
    /var/log/vmkwarning.log: Warning/Alert logs from VMkernel logs.
    /var/log/vmksummary.log: ESXi host startup/shutdown, heartbeat, VM's running, resources.
    /var/log/Xorg.log: Video acceleration.
Vcenter
    /var/log/vpxa.log: vCenter vpxa agent, vCenter & Host mgmt hostd agent.
    /var/log/fdm.log: vSphere High Availability logs, produced by the fdm service

 

 

 

Last modified

Tags

Classifications

Public