Skip to content

ESXi Remote Syslog – It's All or Nothing

I frequently get questions around how to forward only certain log files from ESXi or how to collect a log file that is missing. I get the question so frequently that it warrants a quick post. The title of this post says it all – it’s all or nothing. If you configure remote syslog on ESXi then you will get all configured logs files from ESXi. There is no supported way today to customize what logs files are stored locally versus sent remotely. The only customization that you can make is what severity logs messages are forwarded to the remote syslog destinations by changing log verbosity, however this is not recommended (read here for more information).
vsphere

If you want to know what exactly is being sent, have a look in /etc/vmsyslog.conf.d:

You can modify what is and is not logged by editing information in this directory, however this is not supported or recommended. For example, you can have each VM’s vmware.log file be written to a separate log file on the host — for more information see this post.
It is also worth mentioning if you are not receiving logs from an ESXi host after configuration then you should ensure that you properly configured the firewall on the ESXi host as this is a commonly missed step (read here for all the steps).
Happy Logging!

© 2015, Steve Flanders. All rights reserved.

Published inVMware

4 Comments

  1. Thanks Steven. In situation where the destination syslog server is over the WAN, when happens when the destination syslog server is unreachable? Does ESXi buffer the logs so they are not lost during the “downtime”? Or ESXi simply drops the entries, so they are lost?
    If the logs are lost, then this is a good use case for Forwarder. From what I know, Forwarder keeps the log and will retry.

    • ESXi does not contain a buffer other than the buffer that the TCP protocol provides. In short, yes this is a reason to use the forwarder (see reason 6)! Thanks for the comment!

  2. Kali Kali

    Luckily i found solution which is pretty easy! 😉
    Just need create a Symbolic Link for the required logs
    # ln -s /scratch/log/auth.log /var/log/audit/auth.log
    # ln -s /scratch/log/shell.log /var/log/audit/shell.log
    Then configure the VMSyslogD to sent ONLY logs in this Directory
    /etc/vmsyslog.conf
    logdir = /var/log/audit
    That’s all folks!!!
    Cheers
    Kali

    • Kali Kali

      Sorry, it NOT working this stupid @^$*# VMsyslogD automatically copied ALL other Logs file in this NEW directory :((

Leave a Reply

Your email address will not be published. Required fields are marked *