Sending logs to a remote syslog server

shawn_ev · ‎09-06-2023

I am using ESXi 7.0.3. I am trying to send syslogs to a remote server on UDP 1514. I AM LIMITED TO UDP 1514 BY THE REMOTE SYSTEM. I have the syslog configurations set correctly per Configuring syslog on ESXi (2003322) (vmware.com). I can ping the remote server from the host but cannot get logs to flow. I've tried opening the syslog firewall ruleset, but that is for TCP/UDP 514 and TCP 1514. It seems ESXi is limited to opening/closing pre-defined network firewall rule sets. How can I add a firewall rule to open UDP 1514 to the remote server? Thank you for your time.

bmcb555 · ‎09-06-2023

Yes it is possible, follow this KB https://kb.vmware.com/s/article/2008226

You'll create a custom firewall service and allow it outbound on port 1514 UDP. From there configure udp:host01:1514 in your syslog settings and you should be good to go.

There is some additional workarounds at the end of the post on getting it to work with 7 and above.

shawn_ev · ‎09-06-2023

Ahhh!! I have to create a new ruleset for the port. Thank you very much!!!

Edit: Seems this is not possible. I am using ESXi 7. There is a note in at the top of the page that says, "With the security changes implemented in vSphere 7.0 (reference KB https://kb.vmware.com/s/article/78689) the only supported way to open up ports is through a partner-created VIB to open the ports or change the files needed."

Thank you for your help nonetheless.

bmcb555 · ‎09-06-2023

Yes, for version 7 it's a little different. Create your own xml file, eg udp1514.xml

<ConfigRoot>
<service id='0032'>
<id>udp1514</id>
<rule id = '0000'>
<direction>outbound</direction>
<protocol>udp</protocol>
<porttype>dst</porttype>
<port>1514</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>

Copy it into the /etc/vmware/firewall and issue esxcli network firewall refresh. You won't be able to edit services.xml from version 7.

All

Sending logs to a remote syslog server