Monday 16 January 2017

Configuring ESXi 6 host to send logs to Syslog Server

In my previous post I talked about configuring VMware Syslog server for Windows which is installed and enabled by default on installation of vCenter 6 for Windows. I will now describe the basic configuration that is required on an ESXi 6 host to be able to send logs out to a syslog server using my vCenter as the example.

1) Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Advanced System Settings". Look for the settings "Syslog.global.loghost" and highlight this settings. Click the pencil icon to edit the configuration for this setting.

2) You can now add the host name or ip address of your syslog server/s. You can enter just hostname or IP address, use udp://hostname:514 or ssl://hostname:1514 to be more specific on the port and protocol to be used. If you have multiple hosts then you use the comma (,) to separate each server i.e. udp://192.168.0.1:514,udp://192.168.0.2:514

3)We now need to enable outbound firewall rule on the ESXi host to be able to talk to the syslog server. Navigate to your ESXi host within vCenter. Go to "Manage" tab and select "Settings" followed by "Security Profile". Under the "Firewall" section select "Edit".

4) Look for "syslog" rule and if the checkbox is not ticked then select it. If you wish to restrict which IP address/es it can send the data to then untick "Allow connections from any IP address" and type in your syslog server IP address. Once you have finished then click "OK"

5) If you now look at the firewall section again under "Outgoing Connections" you should see "syslog" rule there now which means it is enabled. You may need to click the web client refresh button to see the changes 


6) Select the vCenter server that you have configured the logs to be received at and go to "Manage" tab, Settings > SysLog Collector. Under "Host Logging" you should see your ESXi host name or IP and the sub folder name the logs are stored for that particular host. If you navigate to the folder on your vCenter server you should see the logs.





4 comments:

  1. Great post! Thank you very much! Keep going

    ReplyDelete
  2. Thanks! Is there any way to add another port to syslog? Not only 514?

    ReplyDelete
    Replies
    1. Hi, do you mean changing the port the syslog server listens on?

      Delete

New Azure KMS IP and domain Addresses for activation

For Windows virtual machines deployed into Azure using marketplace images you may have created rules in your NSG or firewalls to allow the s...