VMware Cloud Community
OsburnM
Hot Shot
Hot Shot

Various Syslog Questions - vSphere 6.7 & LogInsight

Greetings all!  Hoping for some guidance on this? We noticed "gaps" in our LogInsight data from our VCSA appliances and seems it has at-least something to do with which protocol we selected (TLS, TCP, UDP, RELP) in the VAMI setup.  Curious on which one (and port) we should be using to send syslog data from VCSA/PSCs to loginsight?  I understand, generically, the differences between TCP/TLS/UDP/RELP-- I'm just curious what folks are using when considering it's a fairly large environment (1000+ hosts)

1.jpg

Also, in digging in further, we see there's two different syslog options in vCenter itself.  Can someone tell us the difference?

2.jpg

Just curious what the difference here is and if both should be checked/enabled/true?

Thanks in advance!

Reply
0 Kudos
2 Replies
MartinGustafsso
VMware Employee
VMware Employee

Hi,

When selecting protocols, you could take a look at how a VMware Validated Design is configured:

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-028

Communicate with the syslog clients, such as ESXi, vCenter Server, NSX for vSphere, using the default syslog UDP protocol.

  • Using the default UDP syslog protocol simplifies configuration for all syslog sources
  • UDP syslog protocol is the most common logging protocol that is available across products.
  • UDP has a lower performance overhead compared to TCP.

  • If the network connection is interrupted, the syslog traffic is lost.
  • UDP syslog traffic is not secure.
  • UDP syslog protocol does not support reliability and retry mechanisms.

Source: Collecting Logs in vRealize Log Insight

You can of course use TCP or TLS instead.

config.log.outputToSyslog is for sending vpxd.log to your syslog.

OsburnM
Hot Shot
Hot Shot

We've seen TCP and/or TLS result in the syslog daemon crashing or needing a bounce every once in a while... im just curious for folks using RELP-- if there's much success with it over TCP?  Also, I don't see any typical port people use with RELP?  Does it require changes to the VCSA firewalls?

Reply
0 Kudos