Sam30
Enthusiast
Enthusiast

VMware syslog collector

Jump to solution

After setting up remote syslog collector, I see only one type of log file as syslog.log for all ESXi hosts.

What all logs does it hold as generally if are checking the logs locally on an ESXi we look for hostd.log, vmkernel.log, vmkwarning.log & so on ?

So where are all these logs in syslog.log which is coming remotely ?

0 Kudos
1 Solution

Accepted Solutions
tedg_vCrumbs
Enthusiast
Enthusiast

Yes it is combining your logs into the syslog.log file you are looking at for each host.

I can confirm from a quick look at mine-

vobd

vpxa

vmkernal

hostd

fdm

vmkwarning

rhttpproxy

snmpd

hostd-probe

I too have looked for the same document that you have and went off this information in the past.  Indicating that all log files are included.

"To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk, and to send the logs across the network to a syslog server."

-----

VMware KB: Location of ESXi 5.1 and 5.5 log files

ESXi 5.1 Host Log Files

Logs for an ESXi 5.1 host are grouped according to the source component:

  • /var/log/auth.log: ESXi Shell authentication success and failure.

  • /var/log/dhclient.log: DHCP client service, including discovery, address lease requests and renewals.

  • /var/log/esxupdate.log: ESXi patch and update installation logs.

  • /var/log/lacp.log: Link Aggregation Control Protocol logs.

  • /var/log/hostd.log: Host management service logs, including virtual machine and host Task and Events, communication with the vSphere Client and vCenter Server vpxa agent, and SDK connections.

  • /var/log/hostd-probe.log: Host management service responsiveness checker.

  • /var/log/rhttpproxy.log: HTTP connections proxied on behalf of other ESXi host webservices.

  • /var/log/shell.log: ESXi Shell usage logs, including enable/disable and every command entered. For more information, seevSphere 5.5 Command-Line Documentation and Auditing ESXi Shell logins and commands in ESXi 5.x (2004810).

  • /var/log/sysboot.log: Early VMkernel startup and module loading.

  • /var/log/boot.gz: A compressed file that contains boot log information and can be read using zcat /var/log/boot.gz|more.

  • /var/log/syslog.log: Management service initialization, watchdogs, scheduled tasks and DCUI use.

  • /var/log/usb.log: USB device arbitration events, such as discovery and pass-through to virtual machines.

  • /var/log/vobd.log: VMkernel Observation events, similar to vob.component.event.

  • /var/log/vmkernel.log: Core VMkernel logs, including device discovery, storage and networking device and driver events, and virtual machine startup.

  • /var/log/vmkwarning.log: A summary of Warning and Alert log messages excerpted from the VMkernel logs.

  • /var/log/vmksummary.log: A summary of ESXi host startup and shutdown, and an hourly heartbeat with uptime, number of virtual machines running, and service resource consumption. For more information, see Format of the ESXi 5.0 vmksummary log file (2004566).

  • /var/log/Xorg.log: Video acceleration.

------

VMware KB: Configuring syslog on ESXi 5.x and 6.0

VMware vSphere ESXi 5.x and 6.0 hosts run a syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk, and to send the logs across the network to a syslog server.

Retention, rotation and splitting of logs received and managed by a syslog server are fully controlled by that syslog server. ESXi 5.x and 6.0 cannot configure or control log management on a remote syslog server. For more information, see the documentation for the syslog server.

Regardless of the additional syslog configuration specified using these options, logs continue to be placed on the default locations on the ESXi host. For more information, see Location of ESXi 3.5-4.1 log files (1021801).

Previous version of vSphere ESXi are configured differently. For more information, see Enabling syslog on ESXi 3.5 and 4.x (1016621).

If vSphere Syslog Collector will be used to receive logs from ESXi hosts, see Install or Upgrade vSphere Syslog Collector section in the vSphere Installation and Setup Guide.

------ tedg Don't forget to mark posts as helpful or correct if they deserve it!

View solution in original post

0 Kudos
8 Replies
tedg_vCrumbs
Enthusiast
Enthusiast

The system logs from each host write to the same syslog file - preferably in a unique directory per host.

------ tedg Don't forget to mark posts as helpful or correct if they deserve it!
0 Kudos
Sam30
Enthusiast
Enthusiast

Yeah but what about vmkernel.log hostd.log, vmkwarning.?

I guess it's just transferring the syslog.log from the host & not other logs ?

0 Kudos
tedg_vCrumbs
Enthusiast
Enthusiast

No, it is transferring the logs you mention.

What does your centralized syslog data look like?

You should see entries like the screen shot and each line states which log file the data came from.

Examples from an autolab.

<166>2014-11-06T15:37:59.953Z host1.lab.local Vpxa:

<182>2014-11-06T15:38:00.013Z host1.lab.local vmkernel

<166>2014-11-06T15:37:59.955Z host1.lab.local Hostd:

------ tedg Don't forget to mark posts as helpful or correct if they deserve it!
Sam30
Enthusiast
Enthusiast

okay so its combining all the logs into one file called syslog.log ? I see syslog.log files for each host.

Do we know what all logs it combines in that one file ?

I was trying to find a KB or a blog post which could tell me the logs which are contained in syslog.log but couldn't find any.

0 Kudos
tedg_vCrumbs
Enthusiast
Enthusiast

Yes it is combining your logs into the syslog.log file you are looking at for each host.

I can confirm from a quick look at mine-

vobd

vpxa

vmkernal

hostd

fdm

vmkwarning

rhttpproxy

snmpd

hostd-probe

I too have looked for the same document that you have and went off this information in the past.  Indicating that all log files are included.

"To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk, and to send the logs across the network to a syslog server."

-----

VMware KB: Location of ESXi 5.1 and 5.5 log files

ESXi 5.1 Host Log Files

Logs for an ESXi 5.1 host are grouped according to the source component:

  • /var/log/auth.log: ESXi Shell authentication success and failure.

  • /var/log/dhclient.log: DHCP client service, including discovery, address lease requests and renewals.

  • /var/log/esxupdate.log: ESXi patch and update installation logs.

  • /var/log/lacp.log: Link Aggregation Control Protocol logs.

  • /var/log/hostd.log: Host management service logs, including virtual machine and host Task and Events, communication with the vSphere Client and vCenter Server vpxa agent, and SDK connections.

  • /var/log/hostd-probe.log: Host management service responsiveness checker.

  • /var/log/rhttpproxy.log: HTTP connections proxied on behalf of other ESXi host webservices.

  • /var/log/shell.log: ESXi Shell usage logs, including enable/disable and every command entered. For more information, seevSphere 5.5 Command-Line Documentation and Auditing ESXi Shell logins and commands in ESXi 5.x (2004810).

  • /var/log/sysboot.log: Early VMkernel startup and module loading.

  • /var/log/boot.gz: A compressed file that contains boot log information and can be read using zcat /var/log/boot.gz|more.

  • /var/log/syslog.log: Management service initialization, watchdogs, scheduled tasks and DCUI use.

  • /var/log/usb.log: USB device arbitration events, such as discovery and pass-through to virtual machines.

  • /var/log/vobd.log: VMkernel Observation events, similar to vob.component.event.

  • /var/log/vmkernel.log: Core VMkernel logs, including device discovery, storage and networking device and driver events, and virtual machine startup.

  • /var/log/vmkwarning.log: A summary of Warning and Alert log messages excerpted from the VMkernel logs.

  • /var/log/vmksummary.log: A summary of ESXi host startup and shutdown, and an hourly heartbeat with uptime, number of virtual machines running, and service resource consumption. For more information, see Format of the ESXi 5.0 vmksummary log file (2004566).

  • /var/log/Xorg.log: Video acceleration.

------

VMware KB: Configuring syslog on ESXi 5.x and 6.0

VMware vSphere ESXi 5.x and 6.0 hosts run a syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk, and to send the logs across the network to a syslog server.

Retention, rotation and splitting of logs received and managed by a syslog server are fully controlled by that syslog server. ESXi 5.x and 6.0 cannot configure or control log management on a remote syslog server. For more information, see the documentation for the syslog server.

Regardless of the additional syslog configuration specified using these options, logs continue to be placed on the default locations on the ESXi host. For more information, see Location of ESXi 3.5-4.1 log files (1021801).

Previous version of vSphere ESXi are configured differently. For more information, see Enabling syslog on ESXi 3.5 and 4.x (1016621).

If vSphere Syslog Collector will be used to receive logs from ESXi hosts, see Install or Upgrade vSphere Syslog Collector section in the vSphere Installation and Setup Guide.

------ tedg Don't forget to mark posts as helpful or correct if they deserve it!

View solution in original post

0 Kudos
Sam30
Enthusiast
Enthusiast

Yeah I see those Thanks

When I configure the syslog collector, The only thing I can mention is the number of logs & size of logs for log rotation but is there a way I can mention to keep the logs for say 30days & then start overwriting ?

0 Kudos
tedg_vCrumbs
Enthusiast
Enthusiast

No

it is being discussed here as well.

VMware - Log / Syslog way to keep logs for a define time period - Need Serious input.

------ tedg Don't forget to mark posts as helpful or correct if they deserve it!
Sam30
Enthusiast
Enthusiast

Thanks Ted

0 Kudos