Solved: Configuring ESXi to use Syslog on a Non-Standard T...

virtuallysi · ‎05-11-2017

Hi,

Has anyone been able to configure syslog on ESXi to send logs on a non-standard TCP or UDP port (Not 514)? I've been through Configuring syslog on ESXi (2003322) | VMware KB

Here's a dump of the ESXi host syslog configuration:

esxcli system syslog config get

Default Network Retry Timeout: 180

dropped Log File Rotation Size: 100

Dropped Log File Rotations: 10

EnforceSSLCertificates: false

Local Log Output: /scratch/log

Local Log Output Is Configured: false

Local Log Output Is Persistent: true

Local Logging Default Rotation Size: 1024

Local Logging Default Rotations: 8

Log To Unique Subdirectory: false

Message Queue Drop Mark: 90

Remote Host: udp://1.2.3.4:5183 (syslog.global.loghost to tcp://1.2.3.4:5183)

I've run "esxcli system syslog reload" various times and restarted the ESXi host as well as restarting syslog but nothing seems to work

When I write to the syslog using esxcli system syslog mark -s "Hello world" I don't see any packets being sent using tcpdump-uw -i vmk0 host 1.2.3.4 -vv (I also don't see them being received on the remote host). As soon as I change the port to either TCP or UDP 514 I see the logs being sent and are received on the remote host.

Additionally I've created a custom ESXi FW rule to allow 5183 through, just in case it was being blocked on this port, as well as disabling the ESX fw completely but nothing seems to work apart from 514.

virtuallysi · ‎06-02-2017

I found a solution, for completeness I've documented this below:

Deploy a SUSE Linux Enterprise Server 11 VM using this ISO (SLES-11-SP2-DVD-x86_64-GM-DVD1.iso)

Download VIB author from VMware and copy to /tmp

Install dependencies:

zypper
install python-lxml

zypper
install python-urlgrabber

cd /tmp

rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm

cd /

mkdir stage

mkdir stage/payloads

mkdir stage/payloads/HDFsyslog

mkdir stage/payloads/HDFsyslog/etc

mkdir stage/payloads/HDFsyslog/etc/vmware

mkdir stage/payloads/HDFsyslog/etc/vmware/firewall

cd /stage

Create a descriptor XML file:

vi descriptor.xml

<type>bootbank</type>

<name>HDFsyslog</name>

<summary>HDF Syslog</summary>

<description>Adds outbound UDP 5183 port required for HDF syslog</description>

</relationships>

<software-tags>

</software-tags>

<system-requires>

<maintenance-mode>false</maintenance-mode>

</system-requires>

<file-list>

</file-list>

<acceptance-level>community</acceptance-level>

<live-install-allowed>true</live-install-allowed>

<live-remove-allowed>true</live-remove-allowed>

<cimom-restart>false</cimom-restart>

<stateless-ready>true</stateless-ready>

<overlay>false</overlay>

</payloads>

</vib>

cd /stage/payloads/HDFsyslog/etc/vmware/firewall

Create a firewall rule XML file:

vi HDFsyslog.xml

Create the .vib and .zip file:

cd /stage

vibauthor -C -t /stage -v HDFsyslog.vib -O HDFsyslog.zip

Installing a Customised VIB into ESXi:

Copy the HDFsyslog.zip to /tmp of an ESXi host:

scp HDFsyslog.zip root@1.1.1.1:/tmp

On the ESXi host, change the Host Image Profile Acceptance Level to “CommunitySupported”:

Install the vib on the ESXi host:

esxcli software vib install -d /tmp/HDFsyslog.zip

Installation Result
Message: Operation finished successfully.
Reboot Required: false
VIBs Installed: HDF_bootbank_HDFsyslog_5.0.0-1.0
VIBs Removed:
VIBs Skipped:

esxcli system syslog config set --loghost=udp://1.2.3.4:5183

esxcli system syslog reload

On the ESXi host you should now see the HDF firewall rule

View solution in original post

handsy · ‎05-12-2017

Does KB 2119477 help instead?

virtuallysi · ‎05-15-2017

Unfortunately that KB article relates to VCSA and not ESXi

sachu2017 · ‎05-15-2017

Please follow below KB

2003322

virtuallysi · ‎05-15-2017

I have followed that KB article but syslog seems to work only on the standard 514 (TCP / UDP) ports

virtuallysi · ‎06-02-2017

I found a solution, for completeness I've documented this below:

Deploy a SUSE Linux Enterprise Server 11 VM using this ISO (SLES-11-SP2-DVD-x86_64-GM-DVD1.iso)

Download VIB author from VMware and copy to /tmp

Install dependencies:

zypper
install python-lxml

zypper
install python-urlgrabber

cd /tmp

rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm

cd /

mkdir stage

mkdir stage/payloads

mkdir stage/payloads/HDFsyslog

mkdir stage/payloads/HDFsyslog/etc

mkdir stage/payloads/HDFsyslog/etc/vmware

mkdir stage/payloads/HDFsyslog/etc/vmware/firewall

cd /stage

Create a descriptor XML file:

vi descriptor.xml

<type>bootbank</type>

<name>HDFsyslog</name>

<summary>HDF Syslog</summary>

<description>Adds outbound UDP 5183 port required for HDF syslog</description>

</relationships>

<software-tags>

</software-tags>

<system-requires>

<maintenance-mode>false</maintenance-mode>

</system-requires>

<file-list>

</file-list>

<acceptance-level>community</acceptance-level>

<live-install-allowed>true</live-install-allowed>

<live-remove-allowed>true</live-remove-allowed>

<cimom-restart>false</cimom-restart>

<stateless-ready>true</stateless-ready>

<overlay>false</overlay>

</payloads>

</vib>

cd /stage/payloads/HDFsyslog/etc/vmware/firewall

Create a firewall rule XML file:

vi HDFsyslog.xml

Create the .vib and .zip file:

cd /stage

vibauthor -C -t /stage -v HDFsyslog.vib -O HDFsyslog.zip

Installing a Customised VIB into ESXi:

Copy the HDFsyslog.zip to /tmp of an ESXi host:

scp HDFsyslog.zip root@1.1.1.1:/tmp

On the ESXi host, change the Host Image Profile Acceptance Level to “CommunitySupported”:

Install the vib on the ESXi host:

esxcli software vib install -d /tmp/HDFsyslog.zip

Installation Result
Message: Operation finished successfully.
Reboot Required: false
VIBs Installed: HDF_bootbank_HDFsyslog_5.0.0-1.0
VIBs Removed:
VIBs Skipped:

esxcli system syslog config set --loghost=udp://1.2.3.4:5183

esxcli system syslog reload

On the ESXi host you should now see the HDF firewall rule

All

Configuring ESXi to use Syslog on a Non-Standard TCP or UDP Port

2003322