Syslog is a way for VMWare vSphere esxi servers or other network devices to send event messages to a logging server – usually known as a Syslog server (Inbuilt vSphere tool called as VMWare syslog collector). The Syslog protocol is supported by a wide range of devices and can be used to log different types of events. Logs are collected and stored centrally, so it can easily backed up, viewed, retrieved, processed. Syslog is a great way to consolidate logs from multiple sources into a single location.
Configuring Syslog server on esxi servers is a part of best practice, So all the logs are forwarded centrally for troubleshooting. Select Esxi host, navigate to Configure tab, in the Advanced system setting, click Edit, and search for syslog keyword, it list all the settings related to logs, In the setting modify Syslog.global.logHost and add your Syslog server information. In below format syslog can be added. I you want to output esxi logs to multiple remote syslog collectors, Multiple servers are supported and must be separated with comma (,). 514 is default port no for syslog and can be changed on remote syslog server, 1514 is used for SSL.
- udp://syslogServer:514
- tcp://syslogServer:514
- ssl://syslogServer:1514
- syslogserverIp_or_FQDN
- udp://syslogServer:514, syslogserverIp_or_FQDN, ssl://syslogServer:1514
vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall
Next step configuring and opening firewall ports on esxi server, Select esxi, Navigate to Configure tab, in the Security profile on the Firewall click Edit, from the list enable syslog by clicking checkbox. In the last click Ok.
If you don't see any logs are getting collected, for troubleshooting purpose you can check the connectivity between esxi and syslog server also check the the Port reachability using nc tool (telnet) (if you are using udp port protocol type to gather logs you won't get any report using telnet and it will fail, instead you can use windows portquery tool from microsoft to whether port is listening). I am using opensource sexilog appliance to gather logs, and seeing syslogs are getting collected.
I am showing one more trick to update the Syslog information directly on ESXi server using esxcli commandline utility (enable SSH to putty on server), shown commands are case sensitive. First command shows the current configuration, what syslog is configured, middle command configures the syslog remote host. The last and third command reloads the new syslog configuration to take effect. If you are facing issues use article Resolved syslog error: Call OptionManager.UpdateValues for object ha-adv-options on ESXi failed.
esxcli system syslog config get
esxcli system syslog config set --loghost="tcp://syslogserver:514"
esxcli system syslog reload
Below command configure esxi firewall. First command shows the syslog firewall status, at first it is not configured and disabled, Second command enables syslog to true and allow syslog traffic, and third command refresh the firewall configuration. You can reload syslog configuration again, incase of issues.
esxcli network firewall ruleset list --ruleset-id=syslog
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
VMWare Best practices
vSphere PowerCLI - Configure syslog on VMware ESXi hosts and Enable security profile firewall
VMWARE SECURITY BEST PRACTICES: POWERCLI ENABLE OR DISABLE ESXI SSH
vSphere ESXi security best practices: Time configuration - (NTP) Network Time Protocol
POWERCLI AND VSPHERE WEB CLIENT: JOIN ESXI INTO ACTIVE DIRECTORY DOMAIN CONTROLLER
Resolved syslog error: Call OptionManager.UpdateValues for object ha-adv-options on ESXi failed
