VMware Cloud Community
smt_smt
Contributor
Contributor
‎04-15-2014 05:53 AM

Syslog Severity when redirect to syslog server (ESXi 5.5)

Hi everyone,

I am struggling with some problems related with syslog severity. There is no problem when redirecting syslogs to a remote server. However, I cannot apply a filtering (Severity) when redirect. Moreover, I cannot find a document related with ESXi 5.5 about this topic.

I do not want to get logs below warning type. Because when I cannot apply severity, info or debug types written to the database with high amount of numbers. In long period it will return as cost to me by means of storage or query time.

I have found some files that may cause those info types. I changed these files (<logLevel> info </logLevel> to error or warning) but still I cannot solve my problem. Well.. I'm sure there is a simple solution for that but I am far away from this solution.

So I need help about syslog severity.

Thanks.

0 Kudos
6 Replies
JarryG
Expert
Expert
‎04-15-2014 06:37 AM

IMHO this is generally task for log-collector (central log-server). It is also quite logical: keeping log-filters updated and consistent over the whole network is much easier done on one place (log-server), then writing/distributing/synchronising/checking log-filters on all log-senders. One disadvantage might be needless network-traffic (if receiving log-server discards some logs), but as logs are generally small, advantages of central single-point log management are of higher importance.

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! 😉
0 Kudos
smt_smt
Contributor
Contributor
‎04-15-2014 06:57 AM

Thanks for reply,

actually we have a syslog-collector that works integrated with log server. For other Linux machines (Suse, Red hat, CentOs) I can send logs that higher than warning level. Same configuration also can be handled in esx3.5 or 4.

Simply it is just like:

*.warning @<ip_or_host_name>.

In this case I can also prevent possible network-traffic problems (caused by info or debug logs). What I want to do is that applying a filter while sending logs to the server (like what I did to other Linux machines)

0 Kudos
JarryG
Expert
Expert
‎04-15-2014 07:07 AM

I just suppose log-server on ESXi is not so feature-rich as i.e. syslog-ng. You know, ESXi 5.x is really "light-weight" hypervisor. Everything absolutely not necessary for its primary function (virtualizing underlying hardware) is stripped down to bare minimum, or cut off completely. It has minimum memory-footprint and only very basic set of tools. You can not compare it to ESX 3.5/4, or even full-featured linux-server...

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! 😉
smt_smt
Contributor
Contributor
‎04-15-2014 07:30 AM

One thing that I just realised is that when I make change on a file (such as vmware/hostd/default-config.xml) like changing 'default log' verbose to none, after performing reboot the file loaded as unchanged form. So it is like a change cannot be done. . Does it load some custom files after every reboot. I think If I solve this weird issue in some way, I may solve the problem.

Now it is end of the shift. I will check the answers but I will not be able to apply changes on machine.

0 Kudos
JarryG
Expert
Expert
‎04-15-2014 10:51 AM

This is well-known "feature" of ESXi: most of changes you make in config-files are non-persistent (do not survive reboot). One solution I'm aware of is using /etc/rc.local.d/local.sh

This file is one of few that survive reboot. So simply putt all command you need inside (i.e. for shell-scripted file editing):

#! /bin/ash

/bin/echo "whatever" > /path/to/your/file

_____________________________________________ If you found my answer useful please do *not* mark it as "correct" or "helpful". It is hard to pretend being noob with all those points! 😉
0 Kudos
smt_smt
Contributor
Contributor
‎04-15-2014 01:05 PM

The reason why I perform a reboot was that the command ' esxcli system syslog reload ' is not working. And services.sh restart command does not applies these changes.  About your advice forgive me because I did not understand exactly. Lets say I want to change a string in the middle of the code in file. For instance,

<!- default logging -->

<logLevel> verbose </logLevel> to <logLevel> error </logLevel>

How can I use /etc/rc.local.d/local.sh

and lastly, Are there any possibilities that stop reloading the config files ? I mean, any chance to remain as changed status ?

(by the way I connect with ssh)

0 Kudos