<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>article syslog server recommendations for ESXi?? in ESXi Documents</title>
    <link>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/ta-p/2793952</link>
    <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;What do you use and recommend for a syslog server??&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Because we have all Windows servers, anything we use must accommodate Windows.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Just because your company standard is Windows doesn't mean you can't do as I did and build a new VM using either the free Cent O/S or Ubuntu Linux.&amp;nbsp; If you don't have the Linux expertise in-house to do this, then I can't help you.&amp;nbsp; But many of the techs who read this forum do have Linux expertise and should find this useful.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-family: courier new,courier;"&gt;I have a cluster of 8 ESXi machines where I wished to retain their log messages back for a month.&amp;nbsp; The only way to do this is to write them to a remote syslog server.&amp;nbsp; I chose to use rsyslog instead because it allows me to filter the incoming messages and write them to separate files for each ESXi host.&amp;nbsp; The only downside to using rsyslog is that I found the documentation to be less than clear or complete.&amp;nbsp; Anyone who simply gives you a link to the doc page at the rsyslog site isn't doing you any favors...&lt;BR /&gt;&lt;BR /&gt;I'm no rsyslog expert.&amp;nbsp; I just got something to work well enough that I figured others might want to see it and use it themselves.&amp;nbsp; Between using google to see what other folks have done and tweaking on my own, I've got something that works.&amp;nbsp; I don't understand all of the rsyslog syntax I'm using, but it works for me.&lt;BR /&gt;&lt;BR /&gt;I built a VM using our company standard, RHEL 5, x86_64 bit.&amp;nbsp;&amp;nbsp; What I'm doing here should work OK for 32 bit RHEL, Cent O/S and the Debian/Ubuntu Linux varients with minor changes.&lt;BR /&gt;&lt;BR /&gt;When you install RHEL, it gives you good ol' standard syslog.&amp;nbsp; You need to shut it off and render it mute with chkconfig, and then using yum (so I'm lazy, mark of a good sysadmin...), install rsyslog and mark it active.&lt;BR /&gt;&lt;BR /&gt;service syslog stop&lt;BR /&gt;chkconfig --level 2345 syslog off&lt;BR /&gt;yum -y install rsyslog.x86_64&lt;BR /&gt;chkconfig --level 2345 rsyslog on&lt;BR /&gt;&lt;BR /&gt;You'll need to add a ModLoad statement to /etc/rsyslog.conf so it will be listening on UDP port 514, as well as some filtering statements to sort the incoming log messages on a per machine basis.&amp;nbsp; I wanted something that would filter them based upon hostname, but I never figured that one out.&amp;nbsp; Perhaps someone smarter than me can post a note on how to do that.&amp;nbsp; I did get it to work by IP address.&amp;nbsp; My rsyslog.conf file follows:&lt;BR /&gt;&lt;BR /&gt;# cat /etc/rsyslog.conf&lt;BR /&gt;# Begin . Allow remote logging&lt;BR /&gt;&lt;BR /&gt;$ModLoad imudp.so&lt;BR /&gt;$UDPServerRun 514&lt;BR /&gt;# End . Allow remote logging&lt;BR /&gt;&lt;BR /&gt;# Use traditional timestamp format&lt;BR /&gt;$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat&lt;BR /&gt;&lt;BR /&gt;# Provides kernel logging support (previously done by rklogd)&lt;BR /&gt;$ModLoad imklog&lt;BR /&gt;# Provides support for local system logging (e.g. via logger command)&lt;BR /&gt;$ModLoad imuxsock&lt;BR /&gt;&lt;BR /&gt;# Log all kernel messages to the console.&lt;BR /&gt;# Logging much else clutters up the screen.&lt;BR /&gt;#kern.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /dev/console&lt;BR /&gt;&lt;BR /&gt;# Log anything (except mail) of level info or higher.&lt;BR /&gt;# Don't log private authentication messages!&lt;BR /&gt;*.info;mail.none;authpriv.none;cron.none&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/messages&lt;BR /&gt;&lt;BR /&gt;# The authpriv file has restricted access.&lt;BR /&gt;authpriv.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/secure&lt;BR /&gt;&lt;BR /&gt;# Log all the mail messages in one place.&lt;BR /&gt;mail.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -/var/log/maillog&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;# Log cron stuff&lt;BR /&gt;cron.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/cron&lt;BR /&gt;&lt;BR /&gt;# Everybody gets emergency messages&lt;BR /&gt;*.emerg&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; *&lt;BR /&gt;&lt;BR /&gt;# Save news errors of level crit and higher in a special file.&lt;BR /&gt;uucp,news.crit&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/spooler&lt;BR /&gt;&lt;BR /&gt;# Save boot messages also to boot.log&lt;BR /&gt;local7.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/boot.log&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.2" /var/log/vmware/esx81&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.4" /var/log/vmware/esx82&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.6" /var/log/vmware/esx83&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.8" /var/log/vmware/esx84&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.10" /var/log/vmware/esx85&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.12" /var/log/vmware/esx86&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.14" /var/log/vmware/esx87&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.16" /var/log/vmware/esx88&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;You then get this running with:&lt;BR /&gt;&lt;BR /&gt;mkdir /var/log/vmware&lt;BR /&gt;service&amp;nbsp; rsyslog&amp;nbsp; start&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;You need to configure your ESXi machines to send logs to your rsyslog server.&amp;nbsp; You do this by first selecting an ESXi machine, then going to:&lt;BR /&gt;&lt;BR /&gt;Configuration Tab -&amp;gt; Software Advanced Settings -&amp;gt; Syslog -&amp;gt; Remote &lt;BR /&gt;&lt;BR /&gt;and setting the Syslog.Remote.Hostname field.&lt;BR /&gt;&lt;BR /&gt;This will start your ESXi machine sending log messages to your rsyslog server.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;The next thing you will want to deal with is keeping /var/log/messages clean on your rsyslog server.&amp;nbsp; The rsyslog server will write your ESXi log messages to both the file you specify in /etc/rsyslog.conf and to /var/log/messages.&amp;nbsp; This will take up twice the disk space.&amp;nbsp;&amp;nbsp; What I've done to deal with this is to add a lengthy sed statement to the daily logrotate script:&lt;BR /&gt;&lt;BR /&gt;#cat /etc/cron.daily/logrotate&lt;BR /&gt;#!/bin/sh&lt;BR /&gt;sed -i -e "/esx8/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/VMware/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/vmware/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/scripts/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/print_args/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/issue_cmd/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/hostCompatList/d"&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/100\.100\.100/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/Vpxa/d"&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/messages&lt;BR /&gt;/usr/sbin/logrotate /etc/logrotate.conf&lt;BR /&gt;EXITVALUE=$?&lt;BR /&gt;if [ $EXITVALUE != 0 ]; then&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"&lt;BR /&gt;fi&lt;BR /&gt;exit 0&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;You manage your log rotations in /etc/logrotate.conf&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;This document was generated from the following discussion: &lt;A&gt;javascript:;&lt;/A&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
    <pubDate>Fri, 04 Mar 2011 00:47:23 GMT</pubDate>
    <dc:creator>rustbutt</dc:creator>
    <dc:date>2011-03-04T00:47:23Z</dc:date>
    <item>
      <title>syslog server recommendations for ESXi??</title>
      <link>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/ta-p/2793952</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;What do you use and recommend for a syslog server??&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Because we have all Windows servers, anything we use must accommodate Windows.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;Just because your company standard is Windows doesn't mean you can't do as I did and build a new VM using either the free Cent O/S or Ubuntu Linux.&amp;nbsp; If you don't have the Linux expertise in-house to do this, then I can't help you.&amp;nbsp; But many of the techs who read this forum do have Linux expertise and should find this useful.&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN style="font-family: courier new,courier;"&gt;I have a cluster of 8 ESXi machines where I wished to retain their log messages back for a month.&amp;nbsp; The only way to do this is to write them to a remote syslog server.&amp;nbsp; I chose to use rsyslog instead because it allows me to filter the incoming messages and write them to separate files for each ESXi host.&amp;nbsp; The only downside to using rsyslog is that I found the documentation to be less than clear or complete.&amp;nbsp; Anyone who simply gives you a link to the doc page at the rsyslog site isn't doing you any favors...&lt;BR /&gt;&lt;BR /&gt;I'm no rsyslog expert.&amp;nbsp; I just got something to work well enough that I figured others might want to see it and use it themselves.&amp;nbsp; Between using google to see what other folks have done and tweaking on my own, I've got something that works.&amp;nbsp; I don't understand all of the rsyslog syntax I'm using, but it works for me.&lt;BR /&gt;&lt;BR /&gt;I built a VM using our company standard, RHEL 5, x86_64 bit.&amp;nbsp;&amp;nbsp; What I'm doing here should work OK for 32 bit RHEL, Cent O/S and the Debian/Ubuntu Linux varients with minor changes.&lt;BR /&gt;&lt;BR /&gt;When you install RHEL, it gives you good ol' standard syslog.&amp;nbsp; You need to shut it off and render it mute with chkconfig, and then using yum (so I'm lazy, mark of a good sysadmin...), install rsyslog and mark it active.&lt;BR /&gt;&lt;BR /&gt;service syslog stop&lt;BR /&gt;chkconfig --level 2345 syslog off&lt;BR /&gt;yum -y install rsyslog.x86_64&lt;BR /&gt;chkconfig --level 2345 rsyslog on&lt;BR /&gt;&lt;BR /&gt;You'll need to add a ModLoad statement to /etc/rsyslog.conf so it will be listening on UDP port 514, as well as some filtering statements to sort the incoming log messages on a per machine basis.&amp;nbsp; I wanted something that would filter them based upon hostname, but I never figured that one out.&amp;nbsp; Perhaps someone smarter than me can post a note on how to do that.&amp;nbsp; I did get it to work by IP address.&amp;nbsp; My rsyslog.conf file follows:&lt;BR /&gt;&lt;BR /&gt;# cat /etc/rsyslog.conf&lt;BR /&gt;# Begin . Allow remote logging&lt;BR /&gt;&lt;BR /&gt;$ModLoad imudp.so&lt;BR /&gt;$UDPServerRun 514&lt;BR /&gt;# End . Allow remote logging&lt;BR /&gt;&lt;BR /&gt;# Use traditional timestamp format&lt;BR /&gt;$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat&lt;BR /&gt;&lt;BR /&gt;# Provides kernel logging support (previously done by rklogd)&lt;BR /&gt;$ModLoad imklog&lt;BR /&gt;# Provides support for local system logging (e.g. via logger command)&lt;BR /&gt;$ModLoad imuxsock&lt;BR /&gt;&lt;BR /&gt;# Log all kernel messages to the console.&lt;BR /&gt;# Logging much else clutters up the screen.&lt;BR /&gt;#kern.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /dev/console&lt;BR /&gt;&lt;BR /&gt;# Log anything (except mail) of level info or higher.&lt;BR /&gt;# Don't log private authentication messages!&lt;BR /&gt;*.info;mail.none;authpriv.none;cron.none&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/messages&lt;BR /&gt;&lt;BR /&gt;# The authpriv file has restricted access.&lt;BR /&gt;authpriv.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/secure&lt;BR /&gt;&lt;BR /&gt;# Log all the mail messages in one place.&lt;BR /&gt;mail.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -/var/log/maillog&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;# Log cron stuff&lt;BR /&gt;cron.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/cron&lt;BR /&gt;&lt;BR /&gt;# Everybody gets emergency messages&lt;BR /&gt;*.emerg&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; *&lt;BR /&gt;&lt;BR /&gt;# Save news errors of level crit and higher in a special file.&lt;BR /&gt;uucp,news.crit&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/spooler&lt;BR /&gt;&lt;BR /&gt;# Save boot messages also to boot.log&lt;BR /&gt;local7.*&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/boot.log&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.2" /var/log/vmware/esx81&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.4" /var/log/vmware/esx82&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.6" /var/log/vmware/esx83&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.8" /var/log/vmware/esx84&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.10" /var/log/vmware/esx85&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.12" /var/log/vmware/esx86&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.14" /var/log/vmware/esx87&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;:fromhost-ip, isequal, "100.100.100.16" /var/log/vmware/esx88&lt;BR /&gt;&amp;amp; ~&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;You then get this running with:&lt;BR /&gt;&lt;BR /&gt;mkdir /var/log/vmware&lt;BR /&gt;service&amp;nbsp; rsyslog&amp;nbsp; start&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;You need to configure your ESXi machines to send logs to your rsyslog server.&amp;nbsp; You do this by first selecting an ESXi machine, then going to:&lt;BR /&gt;&lt;BR /&gt;Configuration Tab -&amp;gt; Software Advanced Settings -&amp;gt; Syslog -&amp;gt; Remote &lt;BR /&gt;&lt;BR /&gt;and setting the Syslog.Remote.Hostname field.&lt;BR /&gt;&lt;BR /&gt;This will start your ESXi machine sending log messages to your rsyslog server.&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;The next thing you will want to deal with is keeping /var/log/messages clean on your rsyslog server.&amp;nbsp; The rsyslog server will write your ESXi log messages to both the file you specify in /etc/rsyslog.conf and to /var/log/messages.&amp;nbsp; This will take up twice the disk space.&amp;nbsp;&amp;nbsp; What I've done to deal with this is to add a lengthy sed statement to the daily logrotate script:&lt;BR /&gt;&lt;BR /&gt;#cat /etc/cron.daily/logrotate&lt;BR /&gt;#!/bin/sh&lt;BR /&gt;sed -i -e "/esx8/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/VMware/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/vmware/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/scripts/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/print_args/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/issue_cmd/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/hostCompatList/d"&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/100\.100\.100/d"&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; \&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp;&amp;nbsp; -e "/Vpxa/d"&amp;nbsp;&amp;nbsp;&amp;nbsp; /var/log/messages&lt;BR /&gt;/usr/sbin/logrotate /etc/logrotate.conf&lt;BR /&gt;EXITVALUE=$?&lt;BR /&gt;if [ $EXITVALUE != 0 ]; then&lt;BR /&gt;&amp;nbsp;&amp;nbsp;&amp;nbsp; /usr/bin/logger -t logrotate "ALERT exited abnormally with [$EXITVALUE]"&lt;BR /&gt;fi&lt;BR /&gt;exit 0&lt;BR /&gt;&lt;BR /&gt;&lt;BR /&gt;You manage your log rotations in /etc/logrotate.conf&lt;/SPAN&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;This document was generated from the following discussion: &lt;A&gt;javascript:;&lt;/A&gt;&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Fri, 04 Mar 2011 00:47:23 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/ta-p/2793952</guid>
      <dc:creator>rustbutt</dc:creator>
      <dc:date>2011-03-04T00:47:23Z</dc:date>
    </item>
    <item>
      <title>Re: syslog server recommendations for ESXi??</title>
      <link>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/tac-p/2793953#M278</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;It is also possible to collect VMware logs in vMA.&amp;nbsp; This is especially useful if you are using ESXi because the logs are deleted when the host is restarted.&amp;nbsp; Collecting the logs using vMA or some third part event managemnet appliance such as LogLogic is helpful.&amp;nbsp;&amp;nbsp; &lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Tue, 08 Mar 2011 19:24:23 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/tac-p/2793953#M278</guid>
      <dc:creator>VMrOxALL</dc:creator>
      <dc:date>2011-03-08T19:24:23Z</dc:date>
    </item>
    <item>
      <title>Re: syslog server recommendations for ESXi??</title>
      <link>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/tac-p/2793954#M279</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;Just in case anyone comes on this - this doc "syslog server recommendations for ESXi??" I can only guess it works EXACTLY as is written for the OP needs.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 22 Dec 2011 19:00:59 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/tac-p/2793954#M279</guid>
      <dc:creator>rohinkle</dc:creator>
      <dc:date>2011-12-22T19:00:59Z</dc:date>
    </item>
    <item>
      <title>Re: syslog server recommendations for ESXi??</title>
      <link>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/tac-p/2793955#M280</link>
      <description>&lt;HTML&gt;&lt;HEAD&gt;&lt;/HEAD&gt;&lt;BODY&gt;&lt;P&gt;I got a central log server set up.&lt;/P&gt;&lt;P&gt;Do this:&lt;/P&gt;&lt;P&gt;&lt;A href="http://aaronwalrath.wordpress.com/2010/09/02/set-up-rsyslog-and-loganalyzer-on-centos-linux-5-5-for-centralized-logging/"&gt;http://aaronwalrath.wordpress.com/2010/09/02/set-up-rsyslog-and-loganalyzer-on-centos-linux-5-5-for-centralized-logging/&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;And then this:&lt;/P&gt;&lt;P&gt;&lt;A href="http://en.tiagomarques.info/2011/03/separate-rsyslog-logging-using-database-tables/#comment-589"&gt;http://en.tiagomarques.info/2011/03/separate-rsyslog-logging-using-database-tables/#comment-589&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;/P&gt;&lt;P&gt;You will even have a great web front end to use.&lt;/P&gt;&lt;/BODY&gt;&lt;/HTML&gt;</description>
      <pubDate>Thu, 12 Jan 2012 16:07:54 GMT</pubDate>
      <guid>https://communities.vmware.com/t5/ESXi-Documents/syslog-server-recommendations-for-ESXi/tac-p/2793955#M280</guid>
      <dc:creator>onerobertone</dc:creator>
      <dc:date>2012-01-12T16:07:54Z</dc:date>
    </item>
  </channel>
</rss>

