Installing and Configuring VMware vSphere 5.x Syslog Collector

Starting with vCenter 5.0 VMware introduced the vSphere Syslog Collector tool. This was made in order for admins to centralize their ESXi systems logs in one place, since these logs by default sit locally on the hypervisor system partition or on a datastore. You could use third party tools to manage all the log information, but those tools cost extra money and VMware vSphere Syslog Collector works just great for a small to medium environment.

Since VMware vSphere Syslog Collector is part of the vCenter media all you have to do is mount the ISO, click the vSphere Syslog Collector menu then hit Install.

Once the wizard opens, click Next to skip the Welcome page.

Accept the EULA and continue the wizard.

On the Destination Folder page you can change the path where all the logs are stored, how big the logs should be and how many. I usually like to change the default path just to organize things a little and have everything on a separate drive. If later, you will want to modify some of these values, you can do that by editing the configuration .xml file located in %PROGRAMDATA%\VMware\VMware Syslog Collector\vmconfig-syslog.xml. More information about this procedure can be found in VMware KB 2021652.

You can have the vSphere Syslog Collector as a standalone product or you can have it integrated with vCenter. Since vCenter is already running in your infrastructure, why not integrate it ! Select the second option “VMware vCenter Server installation” and click Next.

Now you need to provide to the wizard the necessary information to connect and authenticate to your vCenter server. The user that you type here needs to have administrator rights on your VMware vCenter infrastructure. Assign the account to the vCenter Administrator role and it should work just fine.

   

Here we have the port numbers on which VMware  vSphere Syslog Collector listens. You will usually not change these, but there are environments out there that want more security (not communicating on a standard syslog port) or they just don’t like working with the default settings. Make your changes, but if you want to go with the defaults just click Next to continue.

[notice]Make sure these ports are opened in your firewall so traffic can reach the server.[/notice]

Specify how the vSphere Syslog Collector should be identified on the network. You have to choose either by IP address or by using the FQDN. Off course, I recommend using the FQDN because IP’s… they change.

On the last page of the wizard just hit the Install button to begin the installation.

If successful you will be presented with an Installation Completed screen. Click Finish to close the wizard.

   

Now if you open the vSphere Client console, you can see a new icon on the Home page and you can also notice the plugin, which is automatically installed in vCenter. For the Web Client console there is no such icon, so don’t search for it.

   

Off course, if you click on the icon the list will be empty because the ESXi servers are not configure to send their logs to a remote server.

To fix this, select one of your hosts and navigate to the Configuration tab then click Advanced Settings.

On the Advanced Settings window expand Syslog > global and in the Syslog.global.logHost box type the syslog server name in the form udp://syslog server:port. You can also use TCP or SSL as the preferred protocol, or you can use them all, just separate them with a comma when you type them in the box. Just in case you didn’t write them down during the VMware vSphere Syslog Collector installation the three protocols and ports used for syslog, I will mention them here:

udp://servername:514  (eg: udp://server.vcenter.vkernel.local:514 or udp://server-vcenter:514)
tcp://servername:514  (eg: tcp://server.vcenter.vkernel.local:514 or tcp://server-vcenter:514)
ssl://servername:1514  (eg: ss/://server.vcenter.vkernel.local:1514 or ssl://server-vcenter:1514)

[notice]If you have multiple entries make sure you put a space after each comma so the host can notice the multiple entries properly.[/notice]

The last step in configuring the host is to open the proper ports in the firewall. Still on the Configuration tab click the Security profile link then Properties in the Firewall section.

Scroll down until you find the syslog label. Check the box next to it and click OK.

The connection should now be visible in vCenter as an allow rule.

If you close and re-open the vSphere Client console, the configured hosts should be displayed in the Network Syslog Collector page. To automate this and make it easier with the rest of the hosts configurations, use Hosts Profiles.

By now a folder for each hypervisor that you configured with a remote syslog server should be created in the repository you specified during the VMware vSphere Syslog Collector installation. Inside each of these folders are the logs that your ESXi servers are sending to the vSphere Syslog Collector service.

   

If you open them, a lot of information can be found about the host and it’s operations. Here, I tried to log in on one of the hosts using the wrong credentials. It automatically appeared in the log file.

Managing logs from a central location is great and VMware vSphere Syslog Collector does does just that. I know it doesn’t have the functions and features like the other third-party tools out there, but it’s a great start for small environment. Once the infrastructure starts growing you will be kinda forced to use something different or you will stay and read logs all day long.