Skip to content

ESXi Remote Syslog – It's All or Nothing

I frequently get questions around how to forward only certain log files from ESXi or how to collect a log file that is missing. I get the question so frequently that it warrants a quick post. The title of this post says it all – it’s all or nothing. If you configure remote syslog on ESXi then you will get all configured logs files from ESXi. There is no supported way today to customize what logs files are stored locally versus sent remotely. The only customization that you can make is what severity logs messages are forwarded to the remote syslog destinations by changing log verbosity, however this is not recommended (read here for more information).
vsphere

If you want to know what exactly is being sent, have a look in /etc/vmsyslog.conf.d:

/etc/vmsyslog.conf.d # ls -l
total 120
-rw-r--r-T    1 root     root           420 Sep 19  2013 auth.conf
-rw-r--r-T    1 root     root           384 Sep 19  2013 clomd.conf
-rw-r--r-T    1 root     root           347 Sep 19  2013 dhclient.conf
-rw-r--r-T    1 root     root           346 Sep 19  2013 esxshell.conf
-rw-r--r-T    1 root     root           346 Sep 19  2013 esxupdate.conf
-rw-r--r--    1 root     root           219 Dec 17 21:37 fdm.conf
-rw-r--r-T    1 root     root           355 Sep 19  2013 hostd-probe.conf
-rw-r--r--    1 root     root           234 Dec 17 21:37 hostd.conf
-rw-r--r-T    1 root     root           375 Sep 19  2013 hostprofiletrace.conf
-rw-r--r-T    1 root     root           327 Sep 19  2013 lacp.conf
-rw-r--r-T    1 root     root           408 Sep 19  2013 osfsd.conf
-rw-r--r-T    1 root     root           465 Sep 19  2013 rhttpproxy.conf
-rw-r--r-T    1 root     root           373 Sep 19  2013 sdrsInjector.conf
-rw-r--r-T    1 root     root           356 Sep 19  2013 storageRM.conf
-rw-r--r-T    1 root     root           404 Sep 19  2013 swapobjd.conf
-rw-r--r-T    1 root     root           433 Sep 19  2013 syslog.conf
-rw-r--r-T    1 root     root           439 Sep 19  2013 usb.conf
-rw-r--r-T    1 root     root           413 Sep 19  2013 vmamqpd.conf
-rw-r--r-T    1 root     root           357 Sep 19  2013 vmauthd.conf
-rw-r--r-T    1 root     root           417 Sep 19  2013 vmkdevmgr.conf
-rw-r--r-T    1 root     root           348 Sep 19  2013 vmkernel.conf
-rw-r--r-T    1 root     root           434 Sep 19  2013 vmkeventd.conf
-rw-r--r-T    1 root     root           369 Sep 19  2013 vmksummary.conf
-rw-r--r-T    1 root     root           394 Sep 19  2013 vmkwarning.conf
-rw-r--r-T    1 root     root           327 Sep 19  2013 vobd.conf
-rw-r--r-T    1 root     root           332 Sep 19  2013 vprobe.conf
-rw-r--r-T    1 root     root           339 Sep 19  2013 vprobed.conf
-rw-r--r--    1 root     root           225 Dec 17 21:37 vpxa.conf
-rw-r--r-T    1 root     root           425 Sep 19  2013 vsanSoapServer.conf
-rw-r--r-T    1 root     root           329 Jun 26  2013 xorg.conf

You can modify what is and is not logged by editing information in this directory, however this is not supported or recommended. For example, you can have each VM’s vmware.log file be written to a separate log file on the host — for more information see this post.
It is also worth mentioning if you are not receiving logs from an ESXi host after configuration then you should ensure that you properly configured the firewall on the ESXi host as this is a commonly missed step (read here for all the steps).
Happy Logging!

© 2015, Steve Flanders. All rights reserved.

Published inVMware

4 Comments

  1. Thanks Steven. In situation where the destination syslog server is over the WAN, when happens when the destination syslog server is unreachable? Does ESXi buffer the logs so they are not lost during the “downtime”? Or ESXi simply drops the entries, so they are lost?
    If the logs are lost, then this is a good use case for Forwarder. From what I know, Forwarder keeps the log and will retry.

    • ESXi does not contain a buffer other than the buffer that the TCP protocol provides. In short, yes this is a reason to use the forwarder (see reason 6)! Thanks for the comment!

  2. Kali Kali

    Luckily i found solution which is pretty easy! 😉
    Just need create a Symbolic Link for the required logs
    # ln -s /scratch/log/auth.log /var/log/audit/auth.log
    # ln -s /scratch/log/shell.log /var/log/audit/shell.log
    Then configure the VMSyslogD to sent ONLY logs in this Directory
    /etc/vmsyslog.conf
    logdir = /var/log/audit
    That’s all folks!!!
    Cheers
    Kali

    • Kali Kali

      Sorry, it NOT working this stupid @^$*# VMsyslogD automatically copied ALL other Logs file in this NEW directory :((

Leave a Reply

Your email address will not be published. Required fields are marked *