Configuring
ESXi Syslog
Services
ESXi
Syslog
ServicesAll
ESXi
hosts run
a syslog service, which logs messages from the VMkernel and other system
components to local files or to a remote host.
You can use the
vSphere Client
, or use the esxcli system syslog
command to configure the following parameters of the syslog service. - Remote host and port - Remote host to which syslog messages are forwarded and port on which the remote host receives syslog messages. The remote host must have a log listener service installed and correctly configured to receive the forwarded syslog messages. See the documentation for the syslog service installed on the remote host for information on configuration.
- Transport protocol - Logs can be sent by using UDP, which is the default, TCP, or SSL transports.
- Local logging directory - Directory where local copies of the logs are stored. The directory can be located on mounted NFS or VMFS volumes. Only the/scratchdirectory on the local file system is persistent across reboots.
- Unique directory name prefix - Setting this option to true creates a subdirectory with the name of theESXihost under the specified logging directory. This method is especially useful if the same NFS directory is used by multipleESXihosts.
- Log rotation policies - Sets maximum log size and the number of archives to keep. You can specify policies both globally, and for individual subloggers. For example, you can set a larger size limit for thevmkernellog.
After making configuration
changes, restart the
vmsyslogd
syslog service by running
esxcli system
syslog reload
.
For audit events, you should use syslog with
either TCP on port 514 or TLS on port 1514. To use unencrypted syslog, you must prefix
the entry with
tcp://
. To use encrypted syslog through the TLS
protocol, you must prefix the entry with ssl://
. For security reasons,
you should use the TLS protocol for communications. To use the TLS protocol, you must
load a public CA certificate onto ESXi
that is
suitable for the syslog server.The
esxcli system syslog
command
allows you to configure the logging behavior of your ESXi
system. You can
manage the top-level logger and subloggers. The command has the following options. Option | Description |
---|---|
mark
| Marks
all logs with the specified string. |
reload
| Reloads
the configuration, and updates any changed configuration values. |
config
get
| Retrieves the current configuration. |
config
set
| Sets the configuration. Use one of the following
options.
|
config logger
list
| Shows currently configured
subloggers. |
config logger
set
| Sets configuration options for a specific
sublogger. Use one of the following options.
|
esxcli system syslog
Usage
The following workflow illustrates how you might use
esxcli system
syslog
for log configuration. Specify one of the options listed in
Connection Options for ESXCLI Host Management Commands
in place of <conn_options>
. - Show configuration options.esxcli <conn_options> system syslog config get Default Rotation Size: 1024 Default Rotations: 8 Log Output: /scratch/log Logto Unique Subdirectory: false Remote Host: <none>
- Set all logs to keep twenty rotations before overwriting the oldest log.esxcli <conn_options> system syslog config set --default-rotate=20
- Set the rotation policy for VMkernel logs to 10 rotations, rotating at 2 MB.esxcli <conn_options> system syslog config logger --id=vmkernel --size=2048 --rotate=10
- Send logs to remote hostmyhost.mycompany.com. The logs will use the default transport (UDP) and port (514).esxcli system syslog config set --loghost='myhost.mycompany.com'
- Save the local copy of logs to/scratch/mylogsand send another copy to the remote host.
You can set the directory on the remote host by configuring the client running on that host. You can use theesxcli <conn_options> system syslog config set --loghost='tcp://myhost.mycompany.com:1514' --logdir='/scratch/mylogs'vSphere Clientto redirect system logs to a remote host by changing theSystem.global.logHostadvanced setting. - Send a log message to all logs simultaneously.esxcli <conn_options> system syslog mark --message="this is a message!"
- Reload the syslog daemon and apply configuration changes.esxcli <conn_options> system syslog reload