8 weeks of #VCAP – Syslog scenario by @tomverhaeg

Company policies state that every syslog capable device or server should send these logs to an appropriate syslog collector. Your colleague has already set up the VMware syslog collector on a separate machine, located at 10.10.20.45. You have been tasked with setting up the syslog clients on the ESXi hosts, and ensuring that syslogs arrive on the syslog server.

To configure the syslog collector on the ESXi hosts, we will be using the esxcli system syslog namespace. This allows us to set different options regarding the local and remote (which is what we want) syslog.

Let’s review the default config first by using the following command:

~ # esxcli system syslog config get

Default Rotation Size: 1024

Default Rotations: 8

Log Output: /scratch/log

Log To Unique Subdirectory: false

Remote Host: <none>

We see that no remote syslog is being used. Let’s configure one, using this command:

~ # esxcli system syslog config set –loghost=10.10.20.45

Now that we have configure a remote loghost, we need to reload the syslog daemon to apply the configuration changes. Esxcli can help us once again:

~ # esxcli system syslog reload

You might think that we’re ready now, but when we check our syslog, we don’t see syslog yet. Bummer! For this problem, I’ll reference to the ESXi firewall post (http://blog.mwpreston.net/2013/11/19/8-weeks-of-vcap-the-esxi-firewall/) as with the default security level, this outgoing traffic will be dropped. We need to enable the firewall rule for syslog (udp/514, tcp/1514).

~ # esxcli network firewall ruleset set -r syslog -e true

And reload our changes:

~ # esxcli network firewall refresh

And now, we see our host logs coming in. The VMware syslog collector stores it logs by default in C:\ProgramData\VMware\VMware Syslog Collector\Data

clip_image002