VMware Cloud Community
ChrisC6
Enthusiast
Enthusiast
‎06-01-2021 07:03 AM

ESXi 7.0 Syslog

Hi All,
I have an ESXi 7 host and I am trying to setup syslog so it will log to a remote host.
I have attached a pic of my ESXi settings, there doesn't seem to be much steps required for setting this up but it's not working. Does this look correct or am I missing something?

ChrisC6_0-1622555864658.png

This host is standalone, not added to any vCenter if that makes a difference.

Those were really all the steps I completed. I can ping the remote host but cannot netcat on port 514, should I be getting a succeeded response?

The remote host is a CentOS and ArcSight is being used to collect/view the logs? I am not familiar with how ArcSight works, but are they any other steps required on the ESXi side to setup syslog? or are they any known issues with ESXi 7.0 syslog?

Commands I used:

esxcli sytem syslog config get
esxcli system syslog config set --loghost="udp://192.168.1.2:514"
esxcli system syslog reload

esxcli network firewall ruleset list --ruleset-id=syslog
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh


Appreciate the help

Preview file
512 KB
0 Kudos
2 Replies
fabio1975
Commander
Commander
‎06-01-2021 08:13 AM

Ciao 

The command nc must give you a positive answer:

fabio1975_0-1622560196391.png

Are The Esxi host and the Syslog server in the same network / vlan?

there are no other firewalls in the way?

from another pc / server are you able to communicate on UDP port 514 of the syslog server? 

 

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

fabio1975
Commander
Commander
‎06-01-2021 08:15 AM

to configure my esxi hosts i use this powercli script:

Connect-ViServer
$vmHosts = Get-VMHost
$remoteSyslog = 'udp://<syslogserver>'
$syslogport = '514'
# Show current config
$vmHosts | ForEach-Object {
Write-Host $_.Name
Get-VMHostSysLogServer -VMHost $_
}
# Set syslog config in hypervisors
$vmHosts | ForEach-Object {
Write-Host $_.Name
Set-VMHostSysLogServer -SysLogServer $remoteSyslog":"$syslogPort -VMHost $_
}
# Restart syslog and set the allow rules in the ESXi
$vmHosts | ForEach-Object {
Write-Host $_.Name
(Get-Esxcli -v2 -VMHost $_).system.syslog.reload.Invoke()
(Get-Esxcli -v2 -VMHost $_).network.firewall.ruleset.set.Invoke(@{rulesetid='syslog'; enabled=$true})
(Get-Esxcli -v2 -VMHost $_).network.firewall.refresh.Invoke()
}
# Show current config
$vmHosts | ForEach-Object {
Write-Host $_.Name
Get-VMHostSysLogServer -VMHost $_
}

Fabio

Visit vmvirtual.blog
If you're satisfied give me a kudos

0 Kudos