I frequently get questions around how to forward only certain log files from ESXi or how to collect a log file that is missing. I get the question so frequently that it warrants a quick post. The title of this post says it all – it’s all or nothing. If you configure remote syslog on ESXi then you will get all configured logs files from ESXi. There is no supported way today to customize what logs files are stored locally versus sent remotely. The only customization that you can make is what severity logs messages are forwarded to the remote syslog destinations by changing log verbosity, however this is not recommended (read here for more information).
If you want to know what exactly is being sent, have a look in /etc/vmsyslog.conf.d:
/etc/vmsyslog.conf.d # ls -l total 120 -rw-r--r-T 1 root root 420 Sep 19 2013 auth.conf -rw-r--r-T 1 root root 384 Sep 19 2013 clomd.conf -rw-r--r-T 1 root root 347 Sep 19 2013 dhclient.conf -rw-r--r-T 1 root root 346 Sep 19 2013 esxshell.conf -rw-r--r-T 1 root root 346 Sep 19 2013 esxupdate.conf -rw-r--r-- 1 root root 219 Dec 17 21:37 fdm.conf -rw-r--r-T 1 root root 355 Sep 19 2013 hostd-probe.conf -rw-r--r-- 1 root root 234 Dec 17 21:37 hostd.conf -rw-r--r-T 1 root root 375 Sep 19 2013 hostprofiletrace.conf -rw-r--r-T 1 root root 327 Sep 19 2013 lacp.conf -rw-r--r-T 1 root root 408 Sep 19 2013 osfsd.conf -rw-r--r-T 1 root root 465 Sep 19 2013 rhttpproxy.conf -rw-r--r-T 1 root root 373 Sep 19 2013 sdrsInjector.conf -rw-r--r-T 1 root root 356 Sep 19 2013 storageRM.conf -rw-r--r-T 1 root root 404 Sep 19 2013 swapobjd.conf -rw-r--r-T 1 root root 433 Sep 19 2013 syslog.conf -rw-r--r-T 1 root root 439 Sep 19 2013 usb.conf -rw-r--r-T 1 root root 413 Sep 19 2013 vmamqpd.conf -rw-r--r-T 1 root root 357 Sep 19 2013 vmauthd.conf -rw-r--r-T 1 root root 417 Sep 19 2013 vmkdevmgr.conf -rw-r--r-T 1 root root 348 Sep 19 2013 vmkernel.conf -rw-r--r-T 1 root root 434 Sep 19 2013 vmkeventd.conf -rw-r--r-T 1 root root 369 Sep 19 2013 vmksummary.conf -rw-r--r-T 1 root root 394 Sep 19 2013 vmkwarning.conf -rw-r--r-T 1 root root 327 Sep 19 2013 vobd.conf -rw-r--r-T 1 root root 332 Sep 19 2013 vprobe.conf -rw-r--r-T 1 root root 339 Sep 19 2013 vprobed.conf -rw-r--r-- 1 root root 225 Dec 17 21:37 vpxa.conf -rw-r--r-T 1 root root 425 Sep 19 2013 vsanSoapServer.conf -rw-r--r-T 1 root root 329 Jun 26 2013 xorg.conf
You can modify what is and is not logged by editing information in this directory, however this is not supported or recommended. For example, you can have each VM’s vmware.log file be written to a separate log file on the host — for more information see this post.
It is also worth mentioning if you are not receiving logs from an ESXi host after configuration then you should ensure that you properly configured the firewall on the ESXi host as this is a commonly missed step (read here for all the steps).
Happy Logging!
© 2015, Steve Flanders. All rights reserved.
Thanks Steven. In situation where the destination syslog server is over the WAN, when happens when the destination syslog server is unreachable? Does ESXi buffer the logs so they are not lost during the “downtime”? Or ESXi simply drops the entries, so they are lost?
If the logs are lost, then this is a good use case for Forwarder. From what I know, Forwarder keeps the log and will retry.
ESXi does not contain a buffer other than the buffer that the TCP protocol provides. In short, yes this is a reason to use the forwarder (see reason 6)! Thanks for the comment!
Luckily i found solution which is pretty easy! 😉
Just need create a Symbolic Link for the required logs
# ln -s /scratch/log/auth.log /var/log/audit/auth.log
# ln -s /scratch/log/shell.log /var/log/audit/shell.log
Then configure the VMSyslogD to sent ONLY logs in this Directory
/etc/vmsyslog.conf
logdir = /var/log/audit
That’s all folks!!!
Cheers
Kali
Sorry, it NOT working this stupid @^$*# VMsyslogD automatically copied ALL other Logs file in this NEW directory :((