Configuring Remote Syslog on vSphere Using vCenter Log Insight

Now that you have vCenter Log Insight deployed and configured, you need to configure sources to send their log messages to Log Insight. If you enabled vCenter Server integration then you should start to receive log messages, but this is only the beginning of configuring remote syslog sources.

IMPORTANT: Configuring vCenter Server integration does not configure vCenter Server or ESX/ESXi hosts connected to vCenter Server to send remote syslog to Log Insight. For more information continue reading!

Let’s start by going over what Log Insight supports today and what mechanisms it has to configure vSphere devices for you.

Overview

Today, vCenter Log Insight only supports ingestion of new unstructured data via the syslog protocol. The previous sentence has many important words I would like to elaborate on:

  • “today” – who knows what the future holds!
  • “new” – while vCenter Log Insight only supports ingesting new unstructured data via the syslog protocol, it does support ingesting previously ingested and since archived data via a command line import function. While the command line import function can be used to ingest any unstructured data, it is important to note that using the import function is currently only supported for previously ingested and since archived data (more on this in a later post).
  • “unstructured data” – vCenter Log Insight is capable of ingesting more than just syslog messages, but the only supported way to ingest new data is via the syslog protocol.
  • “syslog protocol” – more specifically, the following ports and protocols are supported (same as ESXi):
    • 514/udp
    • 514/tcp
    • 1514/tcp (ssl)

The actual configuring of remote syslog sources is independent of the Log Insight product, but Log Insight does provide mechanisms to configure some vSphere products today. These include:

  • vCenter Server integration – this allows for the collection of events, tasks, and alarms from the specified vCenter Server instances. Please note, this does not include logs from vCenter Server or any ESX/ESXi hosts connected to vCenter Server.
  • configure-esxi – this command line script is capable of configuring ESXi hosts 4.x and later connected to a vCenter Server instance to send logs to Log Insight

Let’s cover these in more detail.

vCenter Server integration

vCenter Server integration allows for the collection of events, tasks, and alarms for ingestion by Log Insight. Events, tasks, and alarms contain critical information about what is going on in your virtual environment and any issues that you should be aware of. What you may not know is that events, tasks, and alarms are not in vCenter Server logs today. Instead, events, tasks, and alarms are stored in the vCenter Server database. One of the primary reasons for wanting to extract events, tasks, and alarms from the vCenter Server database is for retention and compliance reasons. Depending on the activity on your vCenter Server instance, events, tasks, and alarms could be rotated out in a matter of days or less.

So, how does vCenter Server integration work on Log Insight? You will find a section to configure VMware integration during the initial configuration wizard

log-insight-config-vmware-integration

or on the Administration section in the web UI

log-insight-vmware-integration

In both areas, you have the option to configure one or more vCenter Server instances. Simply supply the hostname and credentials for a user with read-only privileges and Log Insight will take care of the rest. Be sure to test the connection before saving the changes.

log-insight-vcenter-server-test

If in the Administration section of the UI then after saving you must restart the Log Insight process

log-insight-restart-required

Remember that restarting the Log Insight process will result in certain version of ESXi 5.x to stop sending remote syslog

log-insight-restart

There are a few things you should know about vCenter Server integration:

  • Only supported on vCenter Server 5.1.x – connections to other versions may be possible, but polling may not work as expected
  • Log Insight connects to vCenter Server over the vCenter Server API every 2.5 minutes polling for new events, tasks, and alarms (no changes are made to vCenter Server by Log Insight)
  • vCenter Server integration does not configure the collection of vCenter Server logs (more on this in a later post)
  • The read-only user must be defined on the root vCenter Server object with the propagate checkbox selected

configure-esxi

configure-esxi is a command line tool provided on the Log Insight virtual appliance. The tool allows for the configuration of remote log hosts on ESXi hosts 4.x and later that are connected to a vCenter Server instance. To use the tool, log into the virtual appliance and run:

Next, specify the appropriate flags depending on the operation you wish to perform. In general, I would recommend the following order of operations:

Order of operations

1. Query for current loghosts on ESXi hosts

2. Add loghosts as appropriate

3. Query for current loghosts on ESXi hosts

Other options

You can specify the -h flag to restrict the ESXi hosts on a vCenter Server instance to perform operations against

NOTE: It is not possible to restrict operations on a vCenter Server object like datacenter, cluster, or folder today.

You can reload the syslog configuration on an ESXi hosts (important due to http://kb.vmware.com/kb/2003127)

Important information

  •  Only supports configuring ESXi connected to a vCenter Server instance
    • ESX is not supported as ESX does not support configuring of syslog via an API
    • OK is ESX and ESXi hosts reside on the same vCenter Server instance
    • Directly configuring an ESXi host with configure-esxi is possible, but not supported today
  • Only supports ESXi version 4.x and newer
  • Only supports ESXi standard syslog ports (514/tcp, 514/udp, 1514/ssl)
  • Does not configure VMs to send remote syslog to Log Insight
  • Put usernames and passwords with special characters in single quotes. Run configure-esxi –help for more information.
  • ESXi version 4.x only supports a single remote destination
    • configure-esxi has a -f flag to forcefully override an existing loghost configured on an ESXi 4.x host
    • The -f flag of configure-esxi has no effect on ESXi 5.x hosts
  • ESXi 5.x has known issues with remote logging for both TCP and UDP (see http://kb.vmware.com/kb/2003127)
    • TCP – ESXi 5.0.x and 5.1.x
    • UDP – ESXi 5.0 and 5.0.1

© 2013, Steve Flanders. All rights reserved.

2 thoughts on “Configuring Remote Syslog on vSphere Using vCenter Log Insight

  1. Yuval Tenenbaum says:

    Q- What is the value of running “configure-esxi -u root -s 192.168.1.8 -q” to Query the remote log settings of hosts on vCenter Server if we then run
    configure-esxi -u root -s 192.168.1.8 -t 192.168.1.23 which Configures hosts connected to 192.168.1.8 to send logs to 192.168.1.23 regardless if they are already connect or not? Is it just FYI kind of thing?

    • Hey Yuval – Great question! Yes, it is an FYI thing. One thing we have seen is that users run the command and expect configure-esxi to override whatever is currently set on the ESXi host, but this does not happen. By checking before and after the user should not be surprised by the results and if they did mean to remove the old entry they can then do so. I hope this helps!

Leave a Reply