I think I fould the answer by myself...
Logs for an ESXi 5.0 host are grouped according to the source component:
/var/log/auth.log: ESXi Shell authentication success and failure. /var/log/dhclient.log: DHCP client service, including discovery, address lease requests and renewals. /var/log/esxupdate.log: ESXi patch and update installation logs. /var/log/hostd.log: Host management service logs, including virtual machine and host Task and Events, communication with the vSphere Client and vCenter Server vpxa agent, and SDK connections /var/log/shell.log: ESXi Shell usage logs, including enable/disable and every command entered. /var/log/sysboot.log: Early VMkernel startup and module loading. - /var/log/boot.gz: A compressed file that contains boot log information and can be read using zcat /var/log/boot.gz|more.
/var/log/syslog.log: Management service initialization, watchdogs, scheduled tasks and DCUI use. /var/log/usb.log: USB device arbitration events, such as discovery and pass-through to virtual machines. /var/log/vob.log: VMkernel Observation events, similar to vob.component.event. /var/log/vmkernel.log: Core VMkernel logs, including device discovery, storage and networking device and driver events, and virtual machine startup. /var/log/vmkwarning.log: A summary of Warning and Alert log messages excerpted from the VMkernel logs. /var/log/vmksummary.log: A summary of ESXi host startup and shutdown, and an hourly heartbeat with uptime, number of virtual machines running, and service resource consumption. For more information,
When we send this to a remote syslog server, you will see only one file "syslog.log" which actually contains entries from all the files listed above. So that means syslog.log is the one stop place for all your esxi5 logs.
Experts: Please correct me if this finding is not correct.
