Configure Syslog on ESXi 5.x Hosts

No matter how small or how big your VMware infrastructure is, you still want to know what’s happening on your hosts, and most of the time for security reasons. You also need to be alerted in case something goes wrong or might go wrong, who’s logging in and logging out etc. All those actions I just mention, and not only (VMkernel and other system components), are stored in log files on a scratch volume or ramdisk. These are kind of difficult to read because you have to remote into the server(s). ESXi can be configure to send the logs to a remote syslog server, by either using the graphical interface, the command line, PowerCLI or Hosts Profiles. Let’s start with the first one:

 Configuring syslog on ESXi 5.x using the vSphere client

On the vSphere client go to the Configuration tab and open the Advanced Settings window in the Software section.Click the Syslog setting and search for Sylog.global.logHost. In the box, type your syslog server name or IP address and click OK. The syslog server name can also be typed in the form udp://your syslog server:514 or tcp://your syslog server:514 and in case you want to use SSL, ssl://your syslog server:1514. You can user either the TCP or the UDP protocol. If not specified it defaults to UDP. In case you want to change other settings from the Syslog menu, like the default log size or the maximum number of archive to keep, read this VMware article on how its done.

The last step before you see it working is to configure the ESXi host firewall. From the Configuration tab click the Security Profile menu, then on the Firewall section click Properties.Scroll down until you find the syslog rule. Check the box next to it and click OK.

Now you should see messages popping in to your syslog server. Here I used a free tool for the purpose of this demonstration and as you can see I get a lot of logs. On the first columns, which are the latest messages, I tried to log in to my ESXi server using a wrong password. Off course, if you have a lot of ESXi hosts in your environment you may want to consider using a syslog server that can filter messages and that can send you some alerts based on the filters you create.

If is still not working make sure traffic on port 514 (TCP/UDP) or 1514 (if you use SSL) is opened between your ESXi host(s) and the syslog server.

 

Configuring syslog on ESXi 5.x using the command line

For this you will need to open a remote ESXi Shell console like iDRAC, ILO or SSH, since I doubt anyone will go and plug in a monitor and keyboard directly on the server. I will use SSH for this demonstration.

To set up a syslog server type the following command:

esxcli system syslog config set --loghost='your syslog server name or IP address'
esxcli system syslog reload

You can also use the format udp://your syslog server:514, tcp://your syslog server:514 or ssl://your syslog server:1514 instead of the IP or name of the syslog server in the command.

To configure the firewall on the ESXi host(s) use the command:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh

After the firewall configuration, logs should appear on your syslog server.

Again, if is still not working make sure traffic on port 514 (TCP/UDP) or 1514 is opened between your ESXi host(s) and the syslog server.

 

Configuring syslog on ESXi 5.x using PowerCLI

If PowerCLI is your way to go, open a shell, connect to your ESXi server

and issue the following command:

Set-VMHostSysLogServer -SysLogServer 'your syslog server' -SysLogServerPort 514

If you have a vCenter server, you need to use the Get-VMHost command-let in order to configure all the ESXi hosts at once. Open a PoweCLI session and connect to your vCenter server

then type the bellow command:

Get-VMHost | Set-VMHostSysLogServer -SysLogServer 'your syslog server' -SysLogServerPort 514

I case you want to set this for a particular cluster use the following:

Get-Cluster 'Cluster Name' | Get-VMHost | Set-VMHostSysLogServer -SysLogServer 'your syslog server' 
-SysLogServerPort 514

And let’s not forget the firewall. For a single ESXi host you will type:

Get-VMHostFirewallException | where {$_.Name.StartsWith('syslog')} | Set-VMHostFirewallException 
-Enabled $true

And for a vCenter infrastructure:

Get-VMHost | Get-VMHostFirewallException | where {$_.Name.StartsWith('syslog')} | 
Set-VMHostFirewallException -Enabled $true

This will configure the firewall for all the ESXi hosts in that vCenter infrastructure.

If you want to take this further, you can use the Host Profiles feature in vCenter so let’s get to it.

 

Configuring syslog on ESXi 5.x using Host Profiles

Just create a new host profile, select it then hit the Edit Profile button. For more information on how to create a host profile read this article.

Expand Advance configuration option > Syslog.global.logHost and click on Advanced option. From the drop-down-box on the right select Configure a fixed option. In the first box “*The name of the box using a dot notation to reflect the option’s position in the hierarchy” put Syslog.global.logHost then in the second one “The value of the option” put your syslog server name.

In case you want to change other settings from the Syslog menu, like the default log size or the maximum number of archive to keep, read this VMware article to see how its done.

The firewall also needs to be configured, so expand Firewall configuration > Ruleset Configuration > syslog and click on Ruleset. On the right hand side check the “*Flag indicating whether ruleset should be enabled.” box then click OK to close the Edit Profile window.

Now right-click the profile and attach hosts or clusters to it.

   

Once the profile is attached, you can go ahead and apply the profile. Be careful, because in a production environment hosts need to be put in maintenance mode.

   

And this is it; now your ESXi hosts will send logs to your preferred syslog server (Splunk or VMware Syslog Collector). Use whatever method you like the most, because they all have the same result.