Greetings all! Hoping for some guidance on this? We noticed "gaps" in our LogInsight data from our VCSA appliances and seems it has at-least something to do with which protocol we selected (TLS, TCP, UDP, RELP) in the VAMI setup. Curious on which one (and port) we should be using to send syslog data from VCSA/PSCs to loginsight? I understand, generically, the differences between TCP/TLS/UDP/RELP-- I'm just curious what folks are using when considering it's a fairly large environment (1000+ hosts)
Also, in digging in further, we see there's two different syslog options in vCenter itself. Can someone tell us the difference?
Just curious what the difference here is and if both should be checked/enabled/true?
Thanks in advance!
Hi,
When selecting protocols, you could take a look at how a VMware Validated Design is configured:
Decision ID | Design Decision | Design Justification | Design Implication |
SDDC-OPS-LOG-028 | Communicate with the syslog clients, such as ESXi, vCenter Server, NSX for vSphere, using the default syslog UDP protocol. |
|
|
Source: Collecting Logs in vRealize Log Insight
You can of course use TCP or TLS instead.
config.log.outputToSyslog is for sending vpxd.log to your syslog.
We've seen TCP and/or TLS result in the syslog daemon crashing or needing a bounce every once in a while... im just curious for folks using RELP-- if there's much success with it over TCP? Also, I don't see any typical port people use with RELP? Does it require changes to the VCSA firewalls?