Configuring ESXi 6 host to send logs to Syslog Server

In my previous post I talked about configuring VMware Syslog server for Windows which is installed and enabled by default on installation of vCenter 6 for Windows. I will now describe the basic configuration that is required on an ESXi 6 host to be able to send logs out to a syslog server using my vCenter as the example.

1) Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Advanced System Settings". Look for the settings "Syslog.global.loghost" and highlight this settings. Click the pencil icon to edit the configuration for this setting.

2) You can now add the host name or ip address of your syslog server/s. You can enter just hostname or IP address, use udp://hostname:514 or ssl://hostname:1514 to be more specific on the port and protocol to be used. If you have multiple hosts then you use the comma (,) to separate each server i.e. udp://192.168.0.1:514,udp://192.168.0.2:514

3)We now need to enable outbound firewall rule on the ESXi host to be able to talk to the syslog server. Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Security Profile". Under the "Firewall" section select "Edit".

4) Look for "syslog" rule and if the checkbox is not ticked then select it. If you wish to restrict which IP address/es it can send the data to then untick "Allow connections from any IP address" and type in your syslog server IP address. Once you have finished then click "OK"

5) If you now look at the firewall section again under "Outgoing Connections" you should see "syslog" rule there now which means it is enabled. You may need to click the web client refresh button to see the changes 

6) Select the vCenter server that you have configured the logs to be received at and go to "Manage" tab, Settings > SysLog Collector. Under "Host Logging" you should see your ESXi host name or IP and the sub folder name the logs are stored for that particular host. If you navigate to the folder on your vCenter server you should see the logs.

vCenter 6 Windows Syslog Server Config

In vSphere 6 when deploying vCenter for Windows VMware syslog server is deployed with it by default. In this post I will describe how you can locate the config file and some of the changes I have performed for my setup

1) As you can see when you log in to vCenter and drill down to a particular vCenter instance and go to Manage > Settings > Syslog collector you will see the current settings. If you have selected, the default installation path of vCenter then you can see that the logs are stored at "C:\ProgramData\VMware\vCenterServer\data\vmsyslogcollector" otherwise it will be stored accordingly the drive you installed vCenter to. i.e. if you installed to the e:\ drive then your logs should default to "E:\ProgramData\.."

Also under Windows Services you should see the service "VMware Syslog Collector" running.

The first step would be to modify the log path to match your needs as you most likely not want it on your OS drive C:\.

2) Go to "C:\ProgramData\VMware\vCenterServer\cfg\vmsyslogcollector", use your favourite text editor to open config.xml file

3) Locate "<defaultDataPath> </defaultDataPath>" tag and you should see the current path of where the logs will go and it should match what you find in step 1

4) Edit the path to where you would like to store your logs, I have amended my one to point to my e:\vmsyslog folder and save the file.

5)Now restart the Windows Services for this component which is "VMware Syslog Collector"

6)If you drill back down to your vCenter settings Manage > Settings > Syslog Collector you should see the log path should have changed to reflect your new folder

7) If you look at the previous screenshot you can see that there are other settings such as ports to listen on, log file size rotations etc. All these settings are also within config.xml file which you can modify (Step 2 for path of config file).

If you do decide to change the default ports (UDP 514 or TCP 1514 for SSL) for syslog to listen on, then you need to make sure you change the Windows Firewall Rules (Windows Server 2012 R2) to allow the ports. There are 3 rule in Windows Firewall "VMware Common Logging Service", "VMware Syslog Collector" and "VMware Syslog Collector" which corresponds to the default syslog ports. The two rules that I would change would be "VMware Syslog Collector" and "VMware Syslog Collector" as I believe "VMware Common Logging Service" rule is used for other VMware related services as well. 

Other things to look out for is to make sure the rule is "Enabled" and also the "Profiles" that the rules apply to matches your Network Card Profile.

I will have another post which will document how you get your ESXi to send their logs across to this vCenter Syslog server.