VMware Cloud Community
BBB36
Enthusiast
Enthusiast
‎12-16-2022 07:31 AM
Jump to solution

Enable syslog and ports in ESXi firewall after configuring syslog.

The script below enables syslog on an ESXi host (server, port, protocol) but it does not actually enable syslog in the ESXi firewall. I have searched here but somehow unable to find a script that can do that. Can someone please help improve upon this script to do that? Thank you. 

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    $sLog = @{
        loghost = 'tcp://server.com:1514'
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    $old = $esxcli.system.syslog.config.get.Invoke()
    if($esxcli.system.syslog.config.set.Invoke($sLog)){
        New-Object -TypeName PSObject -Property ([ordered]@{
            vCenter = ([uri]$esx.ExtensionData.Client.ServiceUrl).Host
            VMHost = $esx.Name
            SyslogOld = $old.RemoteHost
            SyslogNew = $esxcli.system.syslog.config.get.Invoke().RemoteHost
            })
     }
     else{
        Write-Error "Syslog configuration failed on $($esx.Name)"
    }
} | Export-Csv -Path "c:\file.csv" -NoTypeInformation -UseCulture
0 Kudos
1 Solution

Accepted Solutions
LucD
Leadership
Leadership
‎12-17-2022 01:02 AM
Jump to solution

There are a couple of mistakes in there.
The reload and refresh methods do not require arguments.
You should suppress the Booleans returned from entering in your CSV by redirecting the result to Out-Null
The firewall list method only has a Name and Enabled property in the returned object.

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
        $sLog = @{
            loghost = 'tcp://server.com:1514'
        }
        $esxcli = Get-EsxCli -VMHost $esx -V2
        $old = $esxcli.system.syslog.config.get.Invoke()
        $old2 = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'syslog' })
        if ($esxcli.system.syslog.config.set.Invoke($sLog)) {
            $esxcli.system.syslog.reload.Invoke() | Out-Null
            if ($esxcli.network.firewall.ruleset.set.Invoke(@{rulesetid = 'syslog'; enabled = $true })){
                $esxcli.network.firewall.refresh.Invoke() | Out-Null
                New-Object -TypeName PSObject -Property ([ordered]@{
                        vCenter            = ([uri]$esx.ExtensionData.Client.ServiceUrl).Host
                        VMHost             = $esx.Name
                        SyslogOld          = $old.RemoteHost
                        SyslogNew          = $esxcli.system.syslog.config.get.Invoke().RemoteHost
                        FirewallRulesetOld =  $old2.Enabled
                        FirewallRulesetNew = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'syslog' }).Enabled
                    })
            }
        }
    else {
        Write-Error "Syslog configuration failed on $($esx.Name)"
    }
} | Export-Csv -Path "c:\file.csv" -NoTypeInformation -UseCulture

 


 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

View solution in original post

6 Replies
LucD
Leadership
Leadership
‎12-16-2022 09:35 AM
Jump to solution

Did you try adding a line like this?

Get-VMHostFireWallException -VMHost $esx -Name Syslog | 
Set-VMHostFirewallException -Enabled:$True.


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
BBB36
Enthusiast
Enthusiast
‎12-16-2022 11:54 AM
Jump to solution

Thank you @LucD . I was able to add that to the script and it worked, however the export had empty rows. Also, I believe a reload command is needed after updating the syslog server and port, and also the syslog ESXi firewall to prevent having to reboot. So I added more lines to the script. I am currently getting the following error when I run it, and I have tried various things but am still getting similar errors:

At line:29 char:3
+         $esxcli.network.firewall.refresh.Invoke(@{rulesetid='syslog'; ...
+         ~~~~~~~
Missing closing ')' after expression in 'if' statement.
    + CategoryInfo          : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : MissingEndParenthesisAfterStatement

 Below is the script. I basically want it to perform the reloads I mentioned above, and also if possible, export the new firewall ruleset value as well. Thanks. 

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
    $sLog = @{
        loghost = 'tcp://server.com:1514'
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    $old = $esxcli.system.syslog.config.get.Invoke()
    $old2 = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid='syslog'}) 
    if($esxcli.system.syslog.config.set.Invoke($sLog)){
	$esxcli.system.syslog.reload.invoke($sLog)
		if(($esxcli.network.firewall.ruleset.set.Invoke(@{rulesetid='syslog'; enabled=$true}))
		$esxcli.network.firewall.refresh.Invoke(@{rulesetid='syslog'; enabled=$true})
			New-Object -TypeName PSObject -Property ([ordered]@{
				vCenter = ([uri]$esx.ExtensionData.Client.ServiceUrl).Host
				VMHost = $esx.Name
				SyslogOld = $old.RemoteHost
				SyslogNew = $esxcli.system.syslog.config.get.Invoke().RemoteHost
				FirewallRulesetNew = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid='syslog'}).RemoteHost
				})
			}
		}
     else{
        Write-Error "Syslog configuration failed on $($esx.Name)"
} | Export-Csv -Path "c:\file.csv" -NoTypeInformation -UseCulture

 

0 Kudos
LucD
Leadership
Leadership
‎12-16-2022 12:44 PM
Jump to solution

There are a couple of misaligned parentheses and a missing curly brace.
This seems to be working for me syntax-wise

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
        $sLog = @{
            loghost = 'tcp://server.com:1514'
        }
        $esxcli = Get-EsxCli -VMHost $esx -V2
        $old = $esxcli.system.syslog.config.get.Invoke()
        $old2 = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'syslog' }) 
        if ($esxcli.system.syslog.config.set.Invoke($sLog)) {
            $esxcli.system.syslog.reload.invoke($sLog)
            if ($esxcli.network.firewall.ruleset.set.Invoke(@{rulesetid = 'syslog'; enabled = $true })){
                $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'syslog'; enabled = $true })
                New-Object -TypeName PSObject -Property ([ordered]@{
                        vCenter            = ([uri]$esx.ExtensionData.Client.ServiceUrl).Host
                        VMHost             = $esx.Name
                        SyslogOld          = $old.RemoteHost
                        SyslogNew          = $esxcli.system.syslog.config.get.Invoke().RemoteHost
                        FirewallRulesetNew = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'syslog' }).RemoteHost
                    })
            }
        }
    else {
        Write-Error "Syslog configuration failed on $($esx.Name)"
    }
 } | Export-Csv -Path "c:\file.csv" -NoTypeInformation -UseCulture

  


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

0 Kudos
BBB36
Enthusiast
Enthusiast
‎12-16-2022 08:24 PM
Jump to solution

Thank you. The script appeared to update the syslog settings and enabled the syslog firewall service, but it displayed the output below in red:

Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:27 char:13
+             $esxcli.system.syslog.reload.invoke($sLog)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:29 char:17
+ ...             $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'sy ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:27 char:13
+             $esxcli.system.syslog.reload.invoke($sLog)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:29 char:17
+ ...             $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'sy ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:27 char:13
+             $esxcli.system.syslog.reload.invoke($sLog)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:29 char:17
+ ...             $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'sy ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:27 char:13
+             $esxcli.system.syslog.reload.invoke($sLog)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:29 char:17
+ ...             $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'sy ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:27 char:13
+             $esxcli.system.syslog.reload.invoke($sLog)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:29 char:17
+ ...             $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'sy ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:27 char:13
+             $esxcli.system.syslog.reload.invoke($sLog)
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException
 
Index (zero based) must be greater than or equal to zero and less than the size of the argument list.
At H:\Files\Scripts\vSphere\syslog\esxi-syslog-configure.ps1:29 char:17
+ ...             $esxcli.network.firewall.refresh.Invoke(@{rulesetid = 'sy ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [], FormatException
    + FullyQualifiedErrorId : System.FormatException

 Also, the report generated but only had the "FirewallRulesetNew" column, which was empty. Then I noticed that it didn't have a FirewallRulesetOld column so I added it to the script but it still failed with the same error, although it now has that column in the report and it too is empty. Could this just be that there's no way to properly display the syslog ruleset value?

0 Kudos
LucD
Leadership
Leadership
‎12-17-2022 01:02 AM
Jump to solution

There are a couple of mistakes in there.
The reload and refresh methods do not require arguments.
You should suppress the Booleans returned from entering in your CSV by redirecting the result to Out-Null
The firewall list method only has a Name and Enabled property in the returned object.

Get-VMHost -PipelineVariable esx |
ForEach-Object -Process {
        $sLog = @{
            loghost = 'tcp://server.com:1514'
        }
        $esxcli = Get-EsxCli -VMHost $esx -V2
        $old = $esxcli.system.syslog.config.get.Invoke()
        $old2 = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'syslog' })
        if ($esxcli.system.syslog.config.set.Invoke($sLog)) {
            $esxcli.system.syslog.reload.Invoke() | Out-Null
            if ($esxcli.network.firewall.ruleset.set.Invoke(@{rulesetid = 'syslog'; enabled = $true })){
                $esxcli.network.firewall.refresh.Invoke() | Out-Null
                New-Object -TypeName PSObject -Property ([ordered]@{
                        vCenter            = ([uri]$esx.ExtensionData.Client.ServiceUrl).Host
                        VMHost             = $esx.Name
                        SyslogOld          = $old.RemoteHost
                        SyslogNew          = $esxcli.system.syslog.config.get.Invoke().RemoteHost
                        FirewallRulesetOld =  $old2.Enabled
                        FirewallRulesetNew = $esxcli.network.firewall.ruleset.list.Invoke(@{rulesetid = 'syslog' }).Enabled
                    })
            }
        }
    else {
        Write-Error "Syslog configuration failed on $($esx.Name)"
    }
} | Export-Csv -Path "c:\file.csv" -NoTypeInformation -UseCulture

 


 


Blog: lucd.info  Twitter: @LucD22  Co-author PowerCLI Reference

BBB36
Enthusiast
Enthusiast
‎12-19-2022 09:35 AM
Jump to solution

Thank you as usual @LucD . The script works by specifying TRUE or FALSE for FirewallRulesetOld and FirewallRulesetNew now. Sincerely appreciated!

0 Kudos