Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Configure syslog on VMware ESXi hosts: VMware best practices

Syslog is a way for VMWare vSphere esxi servers or other network devices to send event messages to a logging server – usually known as a Syslog server (Inbuilt vSphere tool called as VMWare syslog collector). The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. Logs are collected and stored centrally, so it can easily backed up, viewed, retrieved, processed. Syslog is a great way to consolidate logs from multiple sources into a single location.

Vmware vsphere Syslog collector sends alerts to administrator check messages events centrally

Configuring Syslog server on esxi servers is a part of best practice, So all the logs are forwarded centrally for troubleshooting. Select Esxi host, navigate to Configure tab, in the Advanced system setting, click Edit, and search for syslog keyword, it list all the settings related to logs, In the setting modify Syslog.global.logHost and add your Syslog server information. In below format syslog can be added. I you want to output esxi logs to multiple remote syslog collectors, Multiple servers are supported and must be separated with comma (,). 514 is default port no for syslog and can be changed on remote syslog server, 1514 is used for SSL.

  • udp://syslogServer:514
  • tcp://syslogServer:514
  • ssl://syslogServer:1514
  • syslogserverIp_or_FQDN
  • udp://syslogServer:514, syslogserverIp_or_FQDN, ssl://syslogServer:1514

vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall

VMware vSphere Web Client configure esxi Advanced System Settings modify Syslog.global.loghost syslog client service daemon

Next step configuring and opening firewall ports on esxi server, Select esxi, Navigate to Configure tab, in the Security profile on the Firewall click Edit, from the list enable syslog by clicking checkbox. In the last click Ok.

vmware vsphere web client esxi server configure security profile, edit, name syslog enable firewall ports 514 allow connection from any ip address

If you don't see any logs are getting collected, for troubleshooting purpose you can check the connectivity between esxi and syslog server also check the the Port reachability using nc tool (telnet) (if you are using udp port protocol type to gather logs you won't get any report using telnet and it will fail, instead you can use windows portquery tool from microsoft to whether port is listening). I am using opensource sexilog appliance to gather logs, and seeing syslogs are getting collected.

VMWare vsphere syslog Collector esxi configure udp tcp port 514 collect central logs configure firewall service ports, syslog log dir

I am showing one more trick to update the Syslog information directly on ESXi server using esxcli commandline utility (enable SSH to putty on server), shown commands are case sensitive. First command shows the current configuration, what syslog is configured, middle command configures the syslog remote host. The last and third command reloads the new syslog configuration to take effect. If you are facing issues use article Resolved syslog error: Call OptionManager.UpdateValues for object ha-adv-options on ESXi failed.
esxcli system syslog config get
esxcli system syslog config set --loghost="tcp://syslogserver:514"
esxcli system syslog reload

vmware vsphere esxi, vcenter, esxi ssh putty, esxcli commandline esxcli system syslog config get, set, loghost, syslog reload.png

Below command configure esxi firewall. First command shows the syslog firewall status, at first it is not configured and disabled, Second command enables syslog to true and allow syslog traffic, and third command refresh the firewall configuration. You can reload syslog configuration again, incase of issues.
esxcli network firewall ruleset list --ruleset-id=syslog
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh 

vmware vsphere esxi, esxcli network firewall rulese list, set, firewall refresh, putty ssh esxi, enable firewall ruleset list

VMWare Best practices
vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
POWERCLI AND VSPHERE WEB CLIENT: JOIN ESXI INTO ACTIVE DIRECTORY DOMAIN CONTROLLER
Resolved syslog error: Call OptionManager.UpdateValues for object ha-adv-options on ESXi failed

Go Back

Comment

Blog Search

Page Views

11240200

Follow me on Blogarama