I think I fould the answer by myself...
Logs for an ESXi 5.0 host are grouped according to the source component:
/var/log/auth.log: ESXi Shell authentication success and failure.
/var/log/dhclient.log: DHCP client service, including discovery, address lease requests and renewals.
/var/log/esxupdate.log: ESXi patch and update installation logs.
/var/log/hostd.log: Host management service logs, including virtual machine and host Task and Events, communication with the vSphere Client and vCenter Server
vpxaagent, and SDK connections
/var/log/shell.log: ESXi Shell usage logs, including enable/disable and every command entered.
/var/log/sysboot.log: Early VMkernel startup and module loading.
/var/log/syslog.log: Management service initialization, watchdogs, scheduled tasks and DCUI use.
/var/log/usb.log: USB device arbitration events, such as discovery and pass-through to virtual machines.
/var/log/vob.log: VMkernel Observation events, similar to
/var/log/vmkernel.log: Core VMkernel logs, including device discovery, storage and networking device and driver events, and virtual machine startup.
/var/log/vmkwarning.log: A summary of Warning and Alert log messages excerpted from the VMkernel logs.
/var/log/vmksummary.log: A summary of ESXi host startup and shutdown, and an hourly heartbeat with uptime, number of virtual machines running, and service resource consumption. For more information,
When we send this to a remote syslog server, you will see only one file "syslog.log" which actually contains entries from all the files listed above. So that means syslog.log is the one stop place for all your esxi5 logs.
Experts: Please correct me if this finding is not correct.
Is the /var/log/syslog.log is different from the syslog.log that I see on the syslog connector server or scratch location?
Also, is this the same case with ESX 4.1 servers . Is it true that we have to configure the hostd and vpxa to send messages to sylog.log manually
The destination syslog server probably just uses "syslog.log" as the default filename for the syslog stream, so yes, it is different.
If you want to split the resulting logfile then you could filter by keywords on the destination syslog server, similar to how it's done here:
I'm not sure about 4.1 but I think it should work the same way.