Re: ESX log files stop sending data?

buckmaster · ‎12-16-2011

Running ESX5i and have re-directed the log files to splunk so if the server ever has a problem I have something to refer to since they are not saved after a crash and or reboot. Problem is when I reboot the splunk server esx logs stop sending data to splunk. I have to issue the following command to get log data flowing again "esxcli system syslog reload". Other systems start re-sending data on their own. What am I missing?

Thanks

Tom Miller

Virtualinfra · ‎12-19-2011

Reconfigure the syslogging to the accepted esxi once again and see if that happens again.

Award points for the helpful and correct answer by clicking the below tab

Thanks & Regards Dharshan S VCP 4.0,VTSP 5.0, VCP 5.0

dsseagren · ‎12-20-2011

I'm seeing the same issue. I don't think making changes on the syslog server side will help because the syslogd quits. If you take a look at /var/log/.vmsyslogd.err you will probably find something similar to:

2011-12-16T15:09:48.103Z vmsyslog.loggers.network : ERROR ] servername:514 - socket error : [Errno 111] Connection refused

2011-12-16T15:09:48.103Z vmsyslog.main : ERROR ] <servername:514> failed to write log, disabling

Seems like a bug to me.

buckmaster · ‎12-20-2011

Evidently this has been reported to VMware and they are working on a patch.

Tom Miller

coafark · ‎05-21-2013

Don't hold your breath on it. Its May 2013 and the issue still happens. They fixed "UDP" but if you are sending "TCP" it dies. So switch to UDP and it'll work.

Re: ESX log files stop sending data?

Gleed · ‎05-21-2013

Here's a link that can at least help you know when you get into this situation. Note pay attention to the note at the bottom as the behavior changed a bit with ESXi 5.0 patch 3.:

virtuallyGhetto: Detecting ESXi Remote Syslog Connection Error Using a vCenter Alarm

All

ESX log files stop sending data?