VMware Cloud Community
usulsuspct
Contributor
Contributor
‎02-07-2012 08:13 AM

ESXi 5 - Limiting Syslog Verbosity

I am trying to configure two of our ESXi 5 hosts too log too a central splunk syslog server.  The problem I am running into is the shear amount of syslog messages being generated.

I have configured my ESXi hosts to use a specified syslog server via:

Syslog.global.logHost "fqdn.syslog.server"

I have tried to limit the amount of messages logged by setting the following two options:

Config.HostAgent.log.level "warning"

Vpx.Vpxa.config.log.level "warning"

I am obviously missing something or have things configured incorrectly because if left enabled I will fill quickly start seeing 500 messages a minute appear in splunk for each host configured per above.  A lot of these messages contain flags that indicate to me that we are getting some info messages:

ie. local4.info  or  user.info

Can someone point me in the right direction?

Thanks.

0 Kudos
5 Replies
MauroBonder
VMware Employee
VMware Employee
‎02-07-2012 08:37 AM

Look if this kb help http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=100479...

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
0 Kudos
usulsuspct
Contributor
Contributor
‎02-07-2012 09:00 AM

So that KB has me change the host and vpx logging level via the same advanced config options that I have already tried:

config.HostAgent.log.level

Vpx.Vpxa.config.log.level

Unfortunately that does not seem to have much affect on limiting the number of entries that get sent to syslog.  I did reboot - my host to make sure all necesarry agents / services were restarted.

Jason

0 Kudos
JonesytheGreate
Contributor
Contributor
‎04-19-2012 08:03 AM

I have the same problem.  Did you find a resolution?

0 Kudos
usulsuspct
Contributor
Contributor
‎04-20-2012 05:12 AM

No I have not...still chatty as ever.

0 Kudos
JonesytheGreat
Enthusiast
Enthusiast
‎05-14-2012 06:39 AM

I opened up a ticket with VMware and this is what we did.

First, make sure that for each ESXi host you go to "Configuration --> Advanced Settings --> Config --> HostAgent --> log.  Then set the confighostagent.log.level to warning.  Also set Vpx.Vpxa.config.log.level to warning.

When looking at my syslog server (Orion) we noticed that there were still a lot of messages coming through.  Apparently Orion was not tagging the messages properly because what was being sent from VMware was a warning message, but Orion was reading it as informational.  We ended up just filtering from the Orion side .

Not really the answer I wanted, but it at least works for now.

Matt

0 Kudos