Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall

In my earlier article I wrote about Configure syslog on VMware ESXi hosts: VMware best practices using VMWare vSphere web client GUI. Configuring syslog server on multiple esxi host servers manually by clicks is very boring task, As automation is everywhere, use it to doing with better way in VMWare Powercli. for more on Powercli check my below articles

VMWARE VSPHERE POWERCLI INSTALLATION AND CONFIGURATION STEP BY STEP
POWERCLI INITIALIZE-POWERCLIENVIRONMENT.PS1 CANNOT BE LOADED BECAUSE RUNNING SCRIPTS IS DISABLED

Once logged into vCenter server using PowerCLI, Try below command to view existing information for syslog server on Esxi. Get-VMHostSysLogServer -VMHost esxi001.vcloud-lab.com, if you have multiple servers comma separate and use like Get-VMHost Esxi001, Esxi002 | Get-VMHostSysLogServer to get information in bulk. As in below screenshot I can see esxi001 has syslog information configuration. and server esxi002 doesn't.

Next to configure and modify setting use Set-VMHostSysLogServer -VMHost Esxi002.vcloud-lab.com -SysLogServer 'udp://192.168.34.15:514', Again if you have multiple server use the same technique to setup as shown above Get-VMHost Esxi001, Esxi002 | Set-VMHostSysLogServer -SysLogServer 'udp://192.168.34.15:514'.

For more on syslog port number and how to use them differently check Configure syslog on VMware ESXi hosts: VMware best practices.

vmware vsphere vcenter esxi web client, powercli powershell, get-vmhostsyslogserver vmhost, set-vmhostsyslogserver syslogserver host udp tcp ssl port 514.png

Next enable esxi security profile firewall. To get the details about syslog firewall status use Get-VMhostFireWallException -VMhost esxi001.vcloud-lab.com -Name syslog. To know firewall information of multiple server, input name separated by comma (,). Check for the Status of Enabled, it should be true. To change it to true use Get-VMHostFireWallException -VMHost esxi002.vcloud-lab.com -Name Syslog | Set-VMHostFirewallException -Enabled:$True.

vmware vsphere vcenter esxi web client, powercli set-vmhostsyslogserver syslogserver host udp tcp ssl port 514, Get-VMhostFirewallException syslog, enabled, port 1514 set-vmhostfirewallexception, .png

There is tip in the last if you want to remove syslog server and make it null use below one liner cmdlet.
Set-VMHostSysLogServer -SysLogServer $null -VMHost Host

Another tip is syslog configuration can also be changed using another cmdlet Set-AdvancedSetting. To get the current configuration run as as below.
Get-VMHost esxi001.vcloud-lab.com | Get-AdvancedSetting -Name Syslog.Global.Loghost

And to change the syslog.global.loghost information.
Get-VMHost esxi001.vcloud-lab.com | Get-AdvancedSetting -Name Syslog.Global.Loghost | Set-AdvancedSetting -Value udp://10.168.34.15:514 -Confirm:$false

vmware vsphere esxi powercli get-vmhost, get-advanced settings syslog.global.Loghost Set-advancedsettings, Get-vmhostsyslogserver port 514 udp tcp ssl value


This is my favorite method and I will be using Powercli esxcli v2 command, as it exposes the esxcli functionality.

This command connects and make connection to specific ESXi002 server. 
$esxcli =  Get-EsxCli -VMHost esxi002.vcloud-lab.com -V2

This will show the current configuration
$esxcli.system.syslog.config.get.Invoke()

Next configure syslog server and add entry to loghost, for successful configuration it shows true in the result. 
$esxcli.system.syslog.config.set.invoke(@{loghost='tcp://192.168.34.11:514'})

Reload new configuration with
$esxcli.system.syslog.reload.invoke()

vmware vsphere esxi powercli vcenter, esxcli get-esxcli vmhost v2 system syslog config get invoke, invoke hashtable, esxcli reload, invoke() loghost

Next is configuring firewall, First command shows the syslog firewall rule, whether it is enabled, You can set and configure firewall enabled to true in second line of code, once configuration is successful it shows true. and third line refreshes firewall configuration. 

$esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid='syslog'})
$esxcli.network.firewall.ruleset.set.Invoke(@{rulesetid='syslog'; enabled=$true})
$esxcli.network.firewall.refresh.Invoke()

vmware vsphere esxi, vcenter, esxcli network firewall ruleset list invoke() rulesetid syslog, set ruleset firewall refresh, v2 configuration esxcli, esxi powercli

Here I tested free Syslog watcher tool, this only accepts and collect syslog messages over udp port. 

vmware vsphere esxi syslog watcher local syslog server udp tcp port messages syslog server

Useful Articles
PART 2 : CONFIGURING ESXI ON VMWARE WORKSTATION HOME LAB
POWERCLI - CREATE DATACENTER AND ADD ESXI HOST IN VCENTER
PART 1 : BUILDING AND BUYING GUIDE IDEAS FOR VMWARE LAB
Resolved syslog error: Call OptionManager.UpdateValues for object ha-adv-options on ESXi failed

Go Back



Comment

Blog Search

Page Views

11240304

Follow me on Blogarama