vCAC remote logging

I have been spending a lot of time working with vCAC logs files as of late and what I realized is that vCAC is made up of a lot of components and a lot of different log files. Unfortunately, vCAC does not support setting a remote syslog destination to forward all vCAC logs within the GUI today. As such, I would like to cover where all the log files are located and more importantly how you can forward them to a remote syslog destination like Log Insight.
UPDATE: This post is based on vCAC 6.0, if you are running vRA 6.1 or newer, please be sure to see my updated post here.

Let me start by laying out all the different components and the log locations:

  • vCAC VA
    • /var/log/vcac/catalina.out
    • /var/log/vco/app-server/catalina.out
    • /var/log/apache2/access_log
    • /var/log/apache2/error_log
    • /var/log/apache2/ssl_request_log
  • vCAC Windows
    • C:\Program Files (x86)\VMware\vCAC\Agents\<plugin>\logs\<file>
      • Plugin examples: CPI61, nsx, VC50, VC51Agent, VC51TPM, vc51withTPM, VC55Agent, vc55u, VDIAgent, vCNS, vSphereAgent
      • File examples: vSphereAgent, EpiPowerShellAgent, VdiPowerShellAgent
    • C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEMOR\Logs\DEMOR_All
    • C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEMWR\Logs\DEMWR_All
    • C:\Program Files (x86)\VMware\vCAC\Server\Logs\All
    • C:\Program Files (x86)\VMware\vCAC\Server\ConfigTool\Log\vCACConfiguration-<date>
    • C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Logs\<nothing today>
    • C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs\Repository
    • C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\Web_Admin_All
    • C:\Program Files (x86)\VMware\vCAC\Web API\Logs\<nothing today>
  • SSO
    • /var/log/vmware/sso/catalina.out
    • /var/log/vmware/sso/ssoAdminServer.log
    • /var/log/vmware/sso/vmware-identity-sts-perf.log
    • /var/log/vmware/sso/vmware-identity-sts.log
    • /var/log/vmware/sso/vmware-sts-idmd-perf.log
    • /var/log/vmware/sso/vmware-sts-idmd.err
    • /var/log/vmware/sso/vmware-sts-idmd.log
    • /var/log/vmware/vmafd/vmafdd.log
    • /var/log/vmware/vmdir/vdcsetupldu.log
    • /var/log/vmware/vmdir/vmafdvmdirclient.log
    • /var/log/vmware/vmkdc/vmkdcd.log
  • VCO
    • /var/log/vco/app-server/catalina.out
  • APPD
    • /home/darwin/tcserver/darwin/logs/catalina.out
  • ITBM
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/catalina.out
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/auditFile.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-external-api.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-reflib-update.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-vc-dc.log
    • /usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm.log
  • VCS
    • /var/log/vmware/vpx/vpxd.log
    • /var/log/vmware/vpx/vws.log
    • /var/log/vmware/vpx/vmware-vpxd.log
    • /var/log/vmware/vpx/inventoryservice/ds.log
    • /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log
    • /var/log/vmware/sso/ssoAdminServer.log
    • /var/log/vmware/sso/vmware-identity-sts.log
    • /var/log/vmware/sso/vmware-sts-idmd-perf.log
    • /var/log/vmware/sso/vmware-sts-idmd.log

Wow, that is a lot of log files! In order to forward these log files to a remote syslog destination like Log Insight, you need to configure a syslog agent on each device. In order to save everyone a lot of time, I have put together the configurations necessary based on the syslog agent installed in the VA for each vCAC component. Enjoy!

vCAC VA

#
# vCAC log files
# Add to: /etc/rsyslog.d/remote.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
$ModLoad imfile
$InputFileName /var/log/vmware/vcac/catalina.out
$InputFileTag vcac:
$InputFileStateFile stat-vcac-catalina1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/vco/app-server/catalina.out
$InputFileTag vco:
$InputFileStateFile stat-vco-catalina1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/apache2/access_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-access1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/apache2/error_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-error1
$InputFileSeverity error
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/apache2/ssl_request_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-ssl1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
# check for new lines every 10 seconds
$InputFilePollInterval 10
*.* @@<Log Insight>

vCAC Windows

NOTE: Whether you are running IAAS in an all-in-one or distributed model the below configuration can be used. Any log files that do not exist will be ignored.

Log Insight Windows Agent

The recommended way to collect logs from the vCAC Windows components is using the Log Insight Windows agent. The below configuration can be applied on the client-side or the server-side and it does not matter if you have a distributed vCAC installation or not. Remember to restart the Log Insight Windows Agent service if applying the configuration client-side.

; ======
; Agents
; ======
; You may have more or less agents and the agent directory is specified during installation
; Modify this section as applicable to your environment
[filelog|vcac-agent-vsphere]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\vsphereagent\logs\
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
[filelog|vcac-agent-vcns]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\vcns\logs\
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
[filelog|vcac-agent-nsx]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\nsx\logs\
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
[filelog|vcac-agent-vdiagent]
directory=C:\Program Files (x86)\VMware\vCAC\Agents\VDIagent\logs\
event_marker=\[\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{1,2}:\d{1,2}
; =======
; Servers
; =======
; Legacy location for vCAC 5.x - will not work with content pack
[filelog|vcac-demor]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEMOR\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}
; Legacy location for vCAC 5.x - will not work with content pack
[filelog|vcac-demwr]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEMWR\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}
[filelog|vcac-dem]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\dem\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}
[filelog|vcac-deo]
directory=C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\deo\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}
[filelog|vcac-server]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}
[filelog|vcac-mm]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}
[filelog|vcac-website]
directory=C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\
include=*All.log;Repository.log
event_marker=\[\w\w\w:\d{4}-\d{2}-\d{2}

Datagram Syslog Agent

Windows Registry Editor Version 5.00
;
; Install Datagram Syslog Agent
; Configure the agent to forward logs to Log Insight
; Save this as vcac-datagram.reg
; Edit this as appropriate - change paths and edit agents if applicable
; Open Registry Editor, on the File menu click Import, find the reg file and select Import
; Be sure to start/restart the agent after importing the registry file
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Agents - vSphereAgent]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\vsphereagent\\logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Agents - NSX]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\nsx\\logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Agents - VDIAgent]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\VDIAgent\\logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Agents vCNS]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\vcns\\logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - API]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Web API\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - DEM - DEMOR]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Distributed Execution Manager\\DEMOR\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - DEM - DEMWR]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Distributed Execution Manager\\DEMWR\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - DEM -DEMWR]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Distributed Execution Manager\\DEMWR\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:00
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="Process Name"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Server]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Server - ConfigTool]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\ConfigTool\\Log\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Server - MMD]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Model Manager Data\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Server - MMW]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Model Manager Web\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC - Server - Website]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Website\\Logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000

SSO

#
# SSO log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source sso {
file("/var/log/vmware/sso/catalina.out" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/ssoAdminServer.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts-perf.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd-perf.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.err" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/vmafd/vmafdd.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/vmdir/vdcsetupldu.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/vmdir/vmafdvmdirclient.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/vmkdc/vmkdcd.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
};
destination logserver { tcp("<Log Insight>" port (514)); };
log { source(sso); destination(logserver); };
log { source(src); destination(logserver); };

VCO

#
# VCO log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source vco {
file("/var/log/vco/app-server/catalina.out" follow_freq(1) flags(no-parse) log_prefix("vco: "));
};
destination logserver { tcp("<Log Insight>" port (514)); };
log { source(vco); destination(logserver); };
log { source(src); destination(logserver); };

APPD

#
# APPD log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source appd {
file("/home/darwin/tcserver/darwin/logs/catalina.out" follow_freq(1) flags(no-parse) log_prefix("appd: "));
};
destination logserver { tcp("<Log Insight>" port (514)); };
log { source(appd); destination(logserver); };
log { source(src); destination(logserver); };

ITBM

#
# ITBM log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source itbm {
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/catalina.out" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/auditFile.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-external-api.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-reflib-update.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm-vc-dc.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
file("/usr/local/tcserver/vfabric-tc-server-standard/tcinstance1/logs/itfm.log" follow_freq(1) log_prefix("itbm: ") flags(no-parse));
};
destination logserver { tcp("<Log Insight>" port (514)); };
log { source(itbm); destination(logserver); };
log { source(src); destination(logserver); };

VCS

#
# VCS log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source vcs {
file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log" follow_freq(1) flags(no-parse) log_prefix("vcenter-server: "));
file("/var/log/vmware/sso/ssoAdminServer.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd-perf.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.err" follow_freq(1) log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.log" follow_freq(1) log_prefix("sso: ") flags(no-parse));
};
destination logserver { tcp("<Log Insight>" port (514)); };
log { source(vcs); destination(logserver); };
log { source(src); destination(logserver); };

UPDATE: Added Log Insight Windows Agent configuration.

© 2014, Steve Flanders. All rights reserved.

12 comments on “vCAC remote logging

JB says:

Did not try the remote logging config scripts, but many thanks for aggregating vCAC component log file locations!

No problem!

Marcel says:

Thanks much for the detailed info! May I ask a few questions:
– Is it customer choice whether vCAC appliance runs Windows or Linux? If the latter, which distro?
– The syslog configuration scripts imply syslog-ng; is this a requirement?
– Does vCAC support an off-frame destination logserver, e.g. enterprise SIEM?
– Does vCAC support multiple destination logservers, e.g. SIEM and operations manager?
Thanks in advance!

1. It depends on the component – for example most components (e.g. vCAC) come in a virtual appliance form factor, but IaaS requires Windows
2. The syslog configuration files are based off what is installed by default on the vCAC component virtual appliance – you can install your own agent, but then you are changing the virtual appliance
3. If by off-frame you mean remote destination then yes – that is what the configuration files configure
4. This is limited by the agent, in the case of virtual appliance the answer is yes as Linux agents support multiple destination, for Windows it depends on the agent

Which log is just the VCAC audit log?

I believe the audit logs are stored in the database, which means none of the above 🙂

Karthik Ivaturi says:

How to access that database? Can we redirect the audit logs to a SQL database?

Today, there is no supported way to do this as the information is saved in a variety of different tables. Exposing this information is being considered in a future release.

Joel B. says:

Hi Steve, thanks for your writeup. I wanted to point out that the include statements for the DEM and DEO servers should also contain the DEM_Errors.log and DEO_Errors.log files.
Also, if customers have named their DEMS/DEOS/Agents, the agent name should be used in the path for the log files.

Hey Joel – thanks for the comment! My understanding is that All.log contains all the information in Error.log and that Error.log just exists to make it easier to see the errors when troubleshooting.

Chip says:

Hi Steve, your article was written back in February of 2014. Have you checked to see if all these config files (and the system log names and locations) are still applicable to versions 6.1 and 6.2 of vCAC/vRA?

Hey Chip – Thanks for the comment! I just posted an article on vRA Remote Logging today: https://sflanders.net/2015/01/13/vra-remote-logging/. I will be adding an update to this post momentarily 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top