VMware Cloud Community
Khatrima
Contributor
Contributor

Sending Selected syslogs to Remote Log Server

I have ESXi Version 6.0 integrated with vCenter. I have successfully completed configuration for sending logs to remote Syslog Server. Logs are being received on remote log servers from all ESXi hosts but only "Early Init log Z <esxi-hostname> hostd-prob".

I want to send user activity logs on ESXi, Such as user log-ins etc to remote syslog server.

Please let me know where and what to add so that I may receive all logs or selected-logs on my remote-syslog servers.

Thank you,

Tags (2)
Reply
0 Kudos
5 Replies
Ardaneh
Enthusiast
Enthusiast

Hi,

When you config Remote Syslog for your ESXi hosts, all logs will be sent to your Syslog server by default. you can check your logger list on ESXi hosts by using this command:

"esxcli system syslog config logger list"

Could you please tell me what is your syslog server?

NathanosBlightc
Commander
Commander

Are you ensure that all the syslog configuration are correct? Please check it again : Configure Syslog on ESXi Hosts

And then also give more information about your log collector server?

Please mark my comment as the Correct Answer if this solution resolved your problem
Reply
0 Kudos
Khatrima
Contributor
Contributor

Thank You for response,

I have verified all configurations, now ESXi is sending logs to the Syslog Server, but I want to send only the selected log no all logs to the syslog server. Additionaly, SSH sessions open/close are not being sent to the syslog server.

Below logs are from /var/log/auth.log

2020-01-28T08:43:27Z sshd[5152344]: Session opened for 'root' on /dev/char/pty/t3

2020-01-28T08:44:06Z sshd[5148135]: Session closed for 'root' on /dev/char/pty/t3

But these logs does'nt appear in /var/log/syslog.log

Any help please?

Reply
0 Kudos
Ardaneh
Enthusiast
Enthusiast

If I understand your problem well, you want to exclude some logs from your ESXi hosts. Log filtering ability was introduced in vSphere ESXi 6.0 and you can filter or exclude logging expressions from the system logs.

you should add this tag "enable_logfilters = true" to this file "/etc/vmsyslog.conf", and then edit the file named "logfilters" from /etc/vmware/ to add the log expression to exclude using this format:

numLogs | ident | logRegexp

You can find more information from this article VMware Knowledge Base

I hope this could help you

rameshwarparsad
Contributor
Contributor

Did you find the solution for this?

Reply
0 Kudos