Solved: Lockdown mode and logging

thomps01 · ‎08-03-2011

Hi,

I use the vMA for all my logging on a number of ESX and ESXi hosts. Basically using the vilogger feature.

I just noticed that if I enable lockdown mode on the ESXi hosts then logging is blocked.

I understand why this is becasue only the vpxa user can login, but how are people capturing log files centrally now?

lamw · ‎08-03-2011

This is just standard syslog, it has nothing to do with lockdown mode .... syslog server can be on Windows or Linux, doesn't matter.

The reason vi-logger does not work with lockdwown mode is it utilizes the vSphere API via vi-admin service account on vMA, when lockdown mode is enabled, ALL accounts are disabled except for vpxa (vCenter Agent) account to manage the ESXi host. Syslog bypasses all this which is what is recommended for shipping your logs to a remote system

View solution in original post

jamesbowling · ‎08-03-2011

Looks like this is by design and can't be circumvented without disabling lockdown mode:

http://www.virtuallyghetto.com/2011/02/esxi-lockdown-mode-does-not-play-nice.html

James B. | Blog: http://www.vSential.com | Twitter: @vSential --- If you found this helpful then please awards helpful or correct points accordingly. Thanks!

thomps01 · ‎08-03-2011

I understand that but surley there must be another way of capuring these log files when lockdown mode is enabled.

It seems mad.

I know that vCenter 5 will include a logging appliance which I guess is intended to help here but in the mean time are people simply not using central logging if they decide to use lockdown mode?

jamesbowling · ‎08-03-2011

One could only assume. I know that most of the deployments I have seen that are using vilogger are not utilizing lockdown mode.

James B. | Blog: http://www.vSential.com | Twitter: @vSential --- If you found this helpful then please awards helpful or correct points accordingly. Thanks!

lamw · ‎08-03-2011

Yes there is another way, you need to setup a syslog server and configure your ESXi host to forward the system logs to your syslog server.

If you're using vi-logger today on vMA 4, get ready to retire it when vMA 5 is released. The vi-logger functionality will no longer be available and will be depercated. I also wrote about alternatives which is either setting up the new syslog collector in vSphere 5 or syslog server on vMA 5 - http://www.virtuallyghetto.com/2011/07/free-linux-windows-syslog-alternatives.html

thomps01 · ‎08-03-2011

Thanks,

So what you're saying is that a Winows syslog server can have the logs 'pushed' to it from ESXi even in lockdown mode?

lamw · ‎08-03-2011

This is just standard syslog, it has nothing to do with lockdown mode .... syslog server can be on Windows or Linux, doesn't matter.

The reason vi-logger does not work with lockdwown mode is it utilizes the vSphere API via vi-admin service account on vMA, when lockdown mode is enabled, ALL accounts are disabled except for vpxa (vCenter Agent) account to manage the ESXi host. Syslog bypasses all this which is what is recommended for shipping your logs to a remote system

thomps01 · ‎08-03-2011

Excellent thanks.

I shall stop using vilogger and replace this with some form of syslog server then.

Is splunk any good and will this work ok?

jamesbowling · ‎08-03-2011

Splunk is OK. I know of quite a few people that use it and have no regrets. I personally like using just a typical syslog server but if you want the analytics and other capabilities of reporting ease then sure.

James B. | Blog: http://www.vSential.com | Twitter: @vSential --- If you found this helpful then please awards helpful or correct points accordingly. Thanks!

All

Lockdown mode and logging