2 Replies Latest reply on Aug 14, 2019 11:19 AM by OsburnM

    Various Syslog Questions - vSphere 6.7 & LogInsight

    OsburnM Enthusiast

      Greetings all!  Hoping for some guidance on this? We noticed "gaps" in our LogInsight data from our VCSA appliances and seems it has at-least something to do with which protocol we selected (TLS, TCP, UDP, RELP) in the VAMI setup.  Curious on which one (and port) we should be using to send syslog data from VCSA/PSCs to loginsight?  I understand, generically, the differences between TCP/TLS/UDP/RELP-- I'm just curious what folks are using when considering it's a fairly large environment (1000+ hosts)

      1.jpg

       

      Also, in digging in further, we see there's two different syslog options in vCenter itself.  Can someone tell us the difference?

      2.jpg

      Just curious what the difference here is and if both should be checked/enabled/true?

       

      Thanks in advance!

        • 1. Re: Various Syslog Questions - vSphere 6.7 & LogInsight
          MartinGustafsson Hot Shot
          VMware EmployeesvExpert

          Hi,

           

          When selecting protocols, you could take a look at how a VMware Validated Design is configured:

           

          Decision ID

          Design Decision

          Design Justification

          Design Implication

          SDDC-OPS-LOG-028

          Communicate with the syslog clients, such as ESXi, vCenter Server, NSX for vSphere, using the default syslog UDP protocol.

          • Using the default UDP syslog protocol simplifies configuration for all syslog sources
          • UDP syslog protocol is the most common logging protocol that is available across products.
          • UDP has a lower performance overhead compared to TCP.

           

          • If the network connection is interrupted, the syslog traffic is lost.
          • UDP syslog traffic is not secure.
          • UDP syslog protocol does not support reliability and retry mechanisms.

           

          Source: Collecting Logs in vRealize Log Insight

           

          You can of course use TCP or TLS instead.

           

          config.log.outputToSyslog is for sending vpxd.log to your syslog.

          1 person found this helpful
          • 2. Re: Various Syslog Questions - vSphere 6.7 & LogInsight
            OsburnM Enthusiast

            We've seen TCP and/or TLS result in the syslog daemon crashing or needing a bounce every once in a while... im just curious for folks using RELP-- if there's much success with it over TCP?  Also, I don't see any typical port people use with RELP?  Does it require changes to the VCSA firewalls?