ESXi syslog events have localhost for hostname – Part 2

In part 1 of the article, I talked about a bug in ESXi when using AutoDeploy that log messages would have the hostname set to localhost. Now, I would like to talk about the impact of this bug on Log Insight and the vSphere content pack.

Log Insight vSphere Content Pack

For those of you experiencing the localhost issue and using Log Insight, you will notice that the vSphere content pack may not provide as much value as it could:

This issue only impacts Log Insight queries that leverage the hostname field. As it turns out, if the ESXi hosts are configured to log directly to Log Insight then using queries that rely on the source field instead of the hostname field will work despite the bug in ESXi.

The difference between source and hostname

All the information you need to know about these two fields can be found in this KB article:

Source Field
The source field contains the hostname or IP address that Log Insight received the message from. If DNS servers are configured, Log Insight will attempt to perform a Reverse DNS lookup on each IP address a message is received from. If no DNS servers are configured, or no reverse DNS mapping is found, the source field for a message will contain the IP address which the message was received from.
If a reverse DNS mapping returns a hostname, the source field for the message will contain that name. Depending on the external DNS server configuration, a bare hostname or FQDN may be returned and stored in the source field.
Hostname Field
The hostname field contains an identifier extracted from the syslog message body. The value of the hostname field is defined by the machine that originally sent the message. The hostname field usually contains the hostname or FQDN of the message originator, but not all syslog message sources are able to provide a hostname. It may also contain an IP address or any other string which the message originator sends, such as localhost. Log Insight does not perform reverse DNS lookups on the hostname field.

In short, if source was used instead of hostname and if ESXi hosts were not logging directly to Log Insight (e.g. via a syslog aggregator) then the queries would be impacted just like as with the localhost bug on the ESXi hosts. As such, if you are experiencing the localhost bug and are using Log Insight then the recommendation would be to upgrade ESXi to permanently resolve the issue.

© 2014 – 2021, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top