Hi,
Has anyone been able to configure syslog on ESXi to send logs on a non-standard TCP or UDP port (Not 514)? I've been through Configuring syslog on ESXi (2003322) | VMware KB
Here's a dump of the ESXi host syslog configuration:
esxcli system syslog config get
Default Network Retry Timeout: 180
dropped Log File Rotation Size: 100
Dropped Log File Rotations: 10
EnforceSSLCertificates: false
Local Log Output: /scratch/log
Local Log Output Is Configured: false
Local Log Output Is Persistent: true
Local Logging Default Rotation Size: 1024
Local Logging Default Rotations: 8
Log To Unique Subdirectory: false
Message Queue Drop Mark: 90
Remote Host: udp://1.2.3.4:5183 (syslog.global.loghost to tcp://1.2.3.4:5183)
I've run "esxcli system syslog reload" various times and restarted the ESXi host as well as restarting syslog but nothing seems to work
When I write to the syslog using esxcli system syslog mark -s "Hello world" I don't see any packets being sent using tcpdump-uw -i vmk0 host 1.2.3.4 -vv (I also don't see them being received on the remote host). As soon as I change the port to either TCP or UDP 514 I see the logs being sent and are received on the remote host.
Additionally I've created a custom ESXi FW rule to allow 5183 through, just in case it was being blocked on this port, as well as disabling the ESX fw completely but nothing seems to work apart from 514.
I found a solution, for completeness I've documented this below:
Deploy a SUSE Linux Enterprise Server 11 VM using this ISO (SLES-11-SP2-DVD-x86_64-GM-DVD1.iso)
Download VIB author from VMware and copy to /tmp
Install dependencies:
zypper
install python-lxml
zypper
install python-urlgrabber
cd /tmp
rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm
cd /
mkdir stage
mkdir stage/payloads
mkdir stage/payloads/HDFsyslog
mkdir stage/payloads/HDFsyslog/etc
mkdir stage/payloads/HDFsyslog/etc/vmware
mkdir stage/payloads/HDFsyslog/etc/vmware/firewall
cd /stage
Create a descriptor XML file:
vi descriptor.xml
<vib version="5.0">
<type>bootbank</type>
<name>HDFsyslog</name>
<version>5.0.0-1.0</version>
<vendor>HDF</vendor>
<summary>HDF Syslog</summary>
<description>Adds outbound UDP 5183 port required for HDF syslog</description>
<relationships>
<depends></depends>
<conflicts/>
<replaces/>
<provides/>
<compatibleWith/>
</relationships>
<software-tags>
</software-tags>
<system-requires>
<maintenance-mode>false</maintenance-mode>
</system-requires>
<file-list>
<file></file>
</file-list>
<acceptance-level>community</acceptance-level>
<live-install-allowed>true</live-install-allowed>
<live-remove-allowed>true</live-remove-allowed>
<cimom-restart>false</cimom-restart>
<stateless-ready>true</stateless-ready>
<overlay>false</overlay>
<payloads>
<payload name="HDFsyslog" type="vgz"></payload>
</payloads>
</vib>
cd /stage/payloads/HDFsyslog/etc/vmware/firewall
Create a firewall rule XML file:
vi HDFsyslog.xml
Create the .vib and .zip file:
cd /stage
vibauthor -C -t /stage -v HDFsyslog.vib -O HDFsyslog.zip
Installing a Customised VIB into ESXi:
Copy the HDFsyslog.zip to /tmp of an ESXi host:
scp HDFsyslog.zip root@1.1.1.1:/tmp
On the ESXi host, change the Host Image Profile Acceptance Level to “CommunitySupported”:
Install the vib on the ESXi host:
esxcli software vib install -d /tmp/HDFsyslog.zip
Installation Result
Message: Operation finished successfully.
Reboot Required: false
VIBs Installed: HDF_bootbank_HDFsyslog_5.0.0-1.0
VIBs Removed:
VIBs Skipped:
esxcli system syslog config set --loghost=udp://1.2.3.4:5183
esxcli system syslog reload
On the ESXi host you should now see the HDF firewall rule
Does KB 2119477 help instead?
Unfortunately that KB article relates to VCSA and not ESXi
Please follow below KB
I have followed that KB article but syslog seems to work only on the standard 514 (TCP / UDP) ports
I found a solution, for completeness I've documented this below:
Deploy a SUSE Linux Enterprise Server 11 VM using this ISO (SLES-11-SP2-DVD-x86_64-GM-DVD1.iso)
Download VIB author from VMware and copy to /tmp
Install dependencies:
zypper
install python-lxml
zypper
install python-urlgrabber
cd /tmp
rpm -ivh vmware-esx-vib-author-5.0.0-0.0.847598.i386.rpm
cd /
mkdir stage
mkdir stage/payloads
mkdir stage/payloads/HDFsyslog
mkdir stage/payloads/HDFsyslog/etc
mkdir stage/payloads/HDFsyslog/etc/vmware
mkdir stage/payloads/HDFsyslog/etc/vmware/firewall
cd /stage
Create a descriptor XML file:
vi descriptor.xml
<vib version="5.0">
<type>bootbank</type>
<name>HDFsyslog</name>
<version>5.0.0-1.0</version>
<vendor>HDF</vendor>
<summary>HDF Syslog</summary>
<description>Adds outbound UDP 5183 port required for HDF syslog</description>
<relationships>
<depends></depends>
<conflicts/>
<replaces/>
<provides/>
<compatibleWith/>
</relationships>
<software-tags>
</software-tags>
<system-requires>
<maintenance-mode>false</maintenance-mode>
</system-requires>
<file-list>
<file></file>
</file-list>
<acceptance-level>community</acceptance-level>
<live-install-allowed>true</live-install-allowed>
<live-remove-allowed>true</live-remove-allowed>
<cimom-restart>false</cimom-restart>
<stateless-ready>true</stateless-ready>
<overlay>false</overlay>
<payloads>
<payload name="HDFsyslog" type="vgz"></payload>
</payloads>
</vib>
cd /stage/payloads/HDFsyslog/etc/vmware/firewall
Create a firewall rule XML file:
vi HDFsyslog.xml
Create the .vib and .zip file:
cd /stage
vibauthor -C -t /stage -v HDFsyslog.vib -O HDFsyslog.zip
Installing a Customised VIB into ESXi:
Copy the HDFsyslog.zip to /tmp of an ESXi host:
scp HDFsyslog.zip root@1.1.1.1:/tmp
On the ESXi host, change the Host Image Profile Acceptance Level to “CommunitySupported”:
Install the vib on the ESXi host:
esxcli software vib install -d /tmp/HDFsyslog.zip
Installation Result
Message: Operation finished successfully.
Reboot Required: false
VIBs Installed: HDF_bootbank_HDFsyslog_5.0.0-1.0
VIBs Removed:
VIBs Skipped:
esxcli system syslog config set --loghost=udp://1.2.3.4:5183
esxcli system syslog reload
On the ESXi host you should now see the HDF firewall rule