Syslog in ESXi sever is critical feature that need to be configured properly in order to monitor and troubleshoot vSphere environment efficiently. By default, ESXi server keeps all logging related information on its scratch partition and that will be removed on every restart of ESXi Server. Thus if your ESXi server crashed for whatever the reason, you have no way to find out what have been happening on the ESXi server. ESXi server supports syslog for a remote log collection, but you will need to configure this manually, or using Host Profile to push this configuration.
Installing vSphere Syslog Collector
- You can use any Syslog server you want, but for this demonstration I will be using vSphere Syslog Collector which comes with vSphere Installation ISO. 2. Open vSphere Installation and you can find VMware vSPhere Syslog Collector under vCenter Support Tools of this installer.
- I will be installing this on the default setting. If you wish to change the location of where log files are stored, then you can change it here.
- vSphere Syslog Collector can be deployed as a Standalone and vCenter Installation. I will be integration Syslog Collector to vCenter Server so that I can see that Syslog is collected via vCenter Server.
- Since I am using vCenter Integration mode, I am prompted for vCenter Server information.
- Approve vCenter Server Certificate.
- Select Port numbers used for Syslog. I am using default setting here. As far as I know Syslog uses UDP protocol and assume that ESXi server uses the same.
- Keep other settings as the default to complete the installation of vSphere Syslog Collector.
Configuring Syslog on ESXi Server using CLI
- I will be demonstrating Network Coredump configuration via vMA appliance, but you can directly log in to ESXi Server via SSH to perform the same tasks.
- After Syslog Server (Syslog Collector) is setup, the next task is configure ESXi Server to start sending Syslog to Syslog server.
- The first step is to open ESXi Firewall for Syslog. As you can see from the output below, Syslog is blocked by ESXi Firewall with the default setting as indicated as disabled/false status.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli network firewall ruleset list |grep syslog syslog false
- Enable Syslog in ESXi Server firewall, use the command below.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli network firewall ruleset set -e true -r syslog
- Verify that Syslog firewall rule is enabled.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli network firewall ruleset list |grep syslog syslog true
- Refresh Firewall Ruleset to make the new setting to take effect.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli network firewall refresh
- Examine the default syslog setting using ESXCLI command.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli system syslog config get Local Log Output: <none> Default Rotation Size: 1024 Default Rotations: 8 Log Output: /scratch/log Logto Unique Subdirectory: false Remote Host: <none>
- Configure ESXi Server to send Syslog message to remote server. I am using my vCenter (vc.vm.lab) for this demonstration.
-
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli system syslog config set --loghost=vc.vm.lab
- Optionally you can add marking text to Syslog Message so that you can identify the Syslog message from this ESXi Server easily.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli system syslog mark --message='ESXi-01.vm.lab Syslog'
- Verify that Syslog Configuration is updated on ESXi Server.
vi-admin@vMA:~[esxi-01.vm.lab]> esxcli system syslog config get Local Log Output: <none> Local Logging Default Rotation Size: 1024 Local Logging Default Rotations: 8 Log To Unique Subdirectory: false Remote Host: vc.vm.lab
Configuring Syslog on ESXi Server using vSphere Client
- You can configure Syslog from vSphere Client, too.
- Go to Hosts and Clusters view, then select the ESXi Server
- Click Configuration Tab, then select advanced Configuration Option.
- Look for the setting “Syslog”. As I have configured this through CLI, setting is already updated here but you can configure Syslog from this option if you wish.
Verifying Syslog are collected by vSphere Syslog Collector
- You can verify that vCenter is collecting syslog from ESXi Server via Administration > Network Syslog Collector in vSphere Client.
- Syslog is saved in the directory specified the above screenshot.
IN as lab environment, when I can set up syslog? Do I finish configuring vCenter with as many nodes/host as necessary and then syslog server or I can install syslog server right after installing vCenter on the server?