ESXi Remote Syslog – It's All or Nothing

I frequently get questions around how to forward only certain log files from ESXi or how to collect a log file that is missing. I get the question so frequently that it warrants a quick post. The title of this post says it all – it’s all or nothing. If you configure remote syslog on ESXi then you will get all configured logs files from ESXi. There is no supported way today to customize what logs files are stored locally versus sent remotely. The only customization that you can make is what severity logs messages are forwarded to the remote syslog destinations by changing log verbosity, however this is not recommended (read here for more information).

If you want to know what exactly is being sent, have a look in /etc/vmsyslog.conf.d:

/etc/vmsyslog.conf.d # ls -l
total 120
-rw-r--r-T    1 root     root           420 Sep 19  2013 auth.conf
-rw-r--r-T    1 root     root           384 Sep 19  2013 clomd.conf
-rw-r--r-T    1 root     root           347 Sep 19  2013 dhclient.conf
-rw-r--r-T    1 root     root           346 Sep 19  2013 esxshell.conf
-rw-r--r-T    1 root     root           346 Sep 19  2013 esxupdate.conf
-rw-r--r--    1 root     root           219 Dec 17 21:37 fdm.conf
-rw-r--r-T    1 root     root           355 Sep 19  2013 hostd-probe.conf
-rw-r--r--    1 root     root           234 Dec 17 21:37 hostd.conf
-rw-r--r-T    1 root     root           375 Sep 19  2013 hostprofiletrace.conf
-rw-r--r-T    1 root     root           327 Sep 19  2013 lacp.conf
-rw-r--r-T    1 root     root           408 Sep 19  2013 osfsd.conf
-rw-r--r-T    1 root     root           465 Sep 19  2013 rhttpproxy.conf
-rw-r--r-T    1 root     root           373 Sep 19  2013 sdrsInjector.conf
-rw-r--r-T    1 root     root           356 Sep 19  2013 storageRM.conf
-rw-r--r-T    1 root     root           404 Sep 19  2013 swapobjd.conf
-rw-r--r-T    1 root     root           433 Sep 19  2013 syslog.conf
-rw-r--r-T    1 root     root           439 Sep 19  2013 usb.conf
-rw-r--r-T    1 root     root           413 Sep 19  2013 vmamqpd.conf
-rw-r--r-T    1 root     root           357 Sep 19  2013 vmauthd.conf
-rw-r--r-T    1 root     root           417 Sep 19  2013 vmkdevmgr.conf
-rw-r--r-T    1 root     root           348 Sep 19  2013 vmkernel.conf
-rw-r--r-T    1 root     root           434 Sep 19  2013 vmkeventd.conf
-rw-r--r-T    1 root     root           369 Sep 19  2013 vmksummary.conf
-rw-r--r-T    1 root     root           394 Sep 19  2013 vmkwarning.conf
-rw-r--r-T    1 root     root           327 Sep 19  2013 vobd.conf
-rw-r--r-T    1 root     root           332 Sep 19  2013 vprobe.conf
-rw-r--r-T    1 root     root           339 Sep 19  2013 vprobed.conf
-rw-r--r--    1 root     root           225 Dec 17 21:37 vpxa.conf
-rw-r--r-T    1 root     root           425 Sep 19  2013 vsanSoapServer.conf
-rw-r--r-T    1 root     root           329 Jun 26  2013 xorg.conf

You can modify what is and is not logged by editing information in this directory, however this is not supported or recommended. For example, you can have each VM’s vmware.log file be written to a separate log file on the host — for more information see this post.
It is also worth mentioning if you are not receiving logs from an ESXi host after configuration then you should ensure that you properly configured the firewall on the ESXi host as this is a commonly missed step (read here for all the steps).
Happy Logging!

© 2015, Steve Flanders. All rights reserved.

4 comments on “ESXi Remote Syslog – It's All or Nothing

Thanks Steven. In situation where the destination syslog server is over the WAN, when happens when the destination syslog server is unreachable? Does ESXi buffer the logs so they are not lost during the “downtime”? Or ESXi simply drops the entries, so they are lost?
If the logs are lost, then this is a good use case for Forwarder. From what I know, Forwarder keeps the log and will retry.

ESXi does not contain a buffer other than the buffer that the TCP protocol provides. In short, yes this is a reason to use the forwarder (see reason 6)! Thanks for the comment!

Kali says:

Luckily i found solution which is pretty easy! 😉
Just need create a Symbolic Link for the required logs
# ln -s /scratch/log/auth.log /var/log/audit/auth.log
# ln -s /scratch/log/shell.log /var/log/audit/shell.log
Then configure the VMSyslogD to sent ONLY logs in this Directory
logdir = /var/log/audit
That’s all folks!!!

Kali says:

Sorry, it NOT working this stupid @^$*# VMsyslogD automatically copied ALL other Logs file in this NEW directory :((

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top