Log Insight: Double or Triple Counted ESXi Hosts

As I covered in the past, Log can be licensed per OSI or CPU. If you are using OSI licensing for ESXi then you may notice the same hosts are counted more than once. In this post, I will cover how to fix this issue. Read on to learn more!

For Log Insight, an OSI is the originator of an event. Per the syslog RFC, the originator of an event is indicated by the hostname field within the event. In the case of ESXi, sometimes events from the same host are sent with different hostname fields. If any originator of an event sends more than one hostname then Log Insight will count the originator more than once. For ESXi, setting the hostname can address this issue. You could do this in a variety of ways including via host profiles or through the vSphere API. Here is an example of how to do it from the CLI:

Once the hostname is set properly, the OSI count will deprecate over time as the old hostname is rotated out of the check.

IMPORTANT: This workaround is specific to ESXi. Some systems (e.g Horizon View) do not have such an option.

© 2017, Steve Flanders. All rights reserved.

2 thoughts on “Log Insight: Double or Triple Counted ESXi Hosts

  1. kondrich says:

    Hi, thank you for this hint.

    I see our hosts showing up with their respective hostnames and their FQDNs seperately. Some log sources seem to provide hostnames and some their FQDNs. Does this trick also fix this?

    A host name check of our hosts is fine (thus I set FQDN again as you advised).
    Before and after it was:
    [root@hostname:~] esxcli system hostname get
    Domain Name: ourdomain.tld
    Fully Qualified Domain Name: hostname.ourdomain.tld
    Host Name: hostname

Leave a Reply