VMware Cloud Community
tlyczko
Enthusiast
Enthusiast
‎01-14-2011 07:11 AM

syslog server recommendations for ESXi??

What do you use and recommend for a syslog server??

Because we have all Windows servers, anything we use must accommodate Windows.

I know of Kiwi Syslog Server, we can only afford the free version of Splunk, any other suggestions or ideas??

Thank you, Tom

0 Kudos
9 Replies
DSTAVERT
Immortal
Immortal
‎01-14-2011 07:35 AM

Have a look through http://sourceforge.net/search/?q=syslog

-- David -- VMware Communities Moderator
0 Kudos
tlyczko
Enthusiast
Enthusiast
‎01-14-2011 08:17 AM

Thank you, SF was unfortunately not very helpful. Smiley Sad

I will continue researching etc.

Thank you, Tom

0 Kudos
ScottBentley
Hot Shot
Hot Shot
‎01-14-2011 08:29 AM

Do you have vMA deployed in your environment?

As an alternative you may wish to look at using that as a logging server instead of syslog.

Simon Long has a very nice article on his blog site of how to achieve it.http://www.simonlong.co.uk/blog/2010/05/28/using-vma-as-your-esxi-syslog-server/

I hope this helps
0 Kudos
tlyczko
Enthusiast
Enthusiast
‎01-14-2011 08:32 AM

We will eventually have vMA/ESXi but we need to capture other logs as well.

Plus using a separate syslog server permits more flexible viewing, reporting, etc. as well as storing larger quantities of data.

Thank you, Tom

0 Kudos
DSTAVERT
Immortal
Immortal
‎01-14-2011 09:38 AM

What are you looking for? Kiwi syslog works?? There were several syslog servers for Windows on Sourceforge?? There are or have been syslog appliances on the VMware Vitual Appliance Marketplace?? Splunk has a free version??

-- David -- VMware Communities Moderator
0 Kudos
rustbutt
Contributor
Contributor
‎03-03-2011 04:06 PM

I have a cluster of 8 ESXi machines where I wished to retain their log messages back for a month.  The only way to do this is to write them to a remote syslog server.  I chose to use rsyslog instead because it allows me to filter the incoming messages and write them to separate files for each ESXi host.  The only downside to using rsyslog is that I found the documentation to be less than clear or complete.  Anyone who simply gives you a link to the doc page at the rsyslog site isn't doing you any favors...

I'm no rsyslog expert.  I just got something to work well enough that I figured others might want to see it and use it themselves.  Between using google to see what other folks have done and tweaking on my own, I've got something that works.  I don't understand all of the rsyslog syntax I'm using, but it works for me.

I built a VM using our company standard, RHEL 5, x86_64 bit.  What I'm doing here should work OK for 32 bit RHEL, Cent O/S and the Debian/Ubuntu Linux varients with minor changes.

When you install RHEL, it gives you good ol' standard syslog.  You need to shut it off and render it mute with chkconfig, and then using yum (so I'm lazy, mark of a good sysadmin...), install rsyslog and mark it active.

service syslog stop
chkconfig --level 2345 syslog off
yum -y install rsyslog.x86_64
chkconfig --level 2345 rsyslog on

You'll need to add a ModLoad statement to /etc/rsyslog.conf so it will be listening on UDP port 514, as well as some filtering statements to sort the incoming log messages on a per machine basis.  I wanted something that would filter them based upon hostname, but I never figured that one out.  Perhaps someone smarter than me can post a note on how to do that.  I did get it to work by IP address.  My rsyslog.conf file follows:

# cat /etc/rsyslog.conf
# Begin . Allow remote logging

$ModLoad imudp.so
$UDPServerRun 514
# End . Allow remote logging

# Use traditional timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# Provides support for local system logging (e.g. via logger command)
$ModLoad imuxsock

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log


:fromhost-ip, isequal, "100.100.100.2" /var/log/vmware/esx81
& ~
:fromhost-ip, isequal, "100.100.100.4" /var/log/vmware/esx82
& ~
:fromhost-ip, isequal, "100.100.100.6" /var/log/vmware/esx83
& ~
:fromhost-ip, isequal, "100.100.100.8" /var/log/vmware/esx84
& ~
:fromhost-ip, isequal, "100.100.100.10" /var/log/vmware/esx85
& ~
:fromhost-ip, isequal, "100.100.100.12" /var/log/vmware/esx86
& ~
:fromhost-ip, isequal, "100.100.100.14" /var/log/vmware/esx87
& ~
:fromhost-ip, isequal, "100.100.100.16" /var/log/vmware/esx88
& ~



You then get this running with:

mkdir /var/log/vmware
service  rsyslog  start


You need to configure your ESXi machines to send logs to your rsyslog server.  You do this by first selecting an ESXi machine, then going to:

Configuration Tab -> Software Advanced Settings -> Syslog -> Remote

and setting the Syslog.Remote.Hostname field.

This will start your ESXi machine sending log messages to your rsyslog server.


The next thing you will want to deal with is keeping /var/log/messages clean on your rsyslog server.  The rsyslog server will write your ESXi log messages to both the file you specify in /etc/rsyslog.conf and to /var/log/messages.  This will take up twice the disk space.   What I've done to deal with this is to add a lengthy sed statement to the daily logrotate script:

#cat /etc/cron.daily/logrotate
#!/bin/sh
sed -i -e "/esx8/d"            \
        -e "/VMware/d"          \
        -e "/vmware/d"          \
        -e "/scripts/d"         \
        -e "/print_args/d"      \
        -e "/issue_cmd/d"       \
        -e "/hostCompatList/d"  \
        -e "/100\.100\.100/d"     \
        -e "/Vpxa/d"    /var/log/messages
/usr/sbin/logrotate /etc/logrotate.conf
EXITVALUE=$?
if [ $EXITVALUE != 0 ]; then
    /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"
fi
exit 0


You manage your log rotations in /etc/logrotate.conf

0 Kudos
DSTAVERT
Immortal
Immortal
‎03-03-2011 04:19 PM

Welcome to the Communities.

Good first post. I would turn this into a Document. It would be very helpful.

I agree that the docs for rsyslog are not what you would call friendly. My personal preference is syslog-ng but it suffers from the same lack of clear documentation. Both are very powerful data collectors with the ability to handle logs from many different devices, routers, switches, Windows Event logs etc. Both of them are also available in commercial form for those who like support.

Again thanks for your post.

-- David -- VMware Communities Moderator
0 Kudos
cdc1
Expert
Expert
‎03-03-2011 04:44 PM

Indeed.  Very nice post.

0 Kudos
autoxr
Contributor
Contributor
‎10-12-2011 01:38 PM

I wanted to filter the log files per vm host and edited my rsyslog.conf with the lines that were by rustbutt.  I tried using the fromhost-ip entry but it didn't seem to work.  I also tried using fromhost but this too didn't work.  I do get new entries in my messages log file however.  In addition, new vm host files were created under the "vmware" folder I created.  Anyone have any suggestions?

0 Kudos