From https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-appliance-configuration... we get the following, concerning the syslog level that is sent by VCSA to an external Syslog server.
With the current "*" setting, we are getting far more messages than we want, and we would only really like VCSA to send Syslog messages at level "error" and above. My reading of the configuration guide suggests that setting the level to "error" won't do this. It will quite literally only allow Syslog messages at error level to be sent. This seems wrong to me, so I firstly wanted to confirm what actually happens. Will VCSA send only error syslog messages, or will it send "crit", "alert" and "emerg" ones too?
3 From the Common Log Level drop-down menu select the log files to redirect.
Option | Description |
---|---|
* | All log files are redirected to the remote machine. |
info | Only informational log files are redirected to the remote machine. |
notice | Only notices are redirected to the remote machine. Notice indicates normal but significant condition. |
warn | Only warnings are redirected to the remote machine. |
error | Only error messages are redirected to the remote machine. |
crit | Only critical log files are redirected to the remote machine. |
alert | Only alerts are redirected to the remote machine. Alert indicates that action must be taken immediately. |
emerg | Only emergency log files are redirected to the remote machine. Emergency indicates that the system stopped responding and cannot be used. |
If my interpretation is correct, is there a way to get VCSA to send the multiple levels required I.e. to send all "error", "crit", "alert" and "emerg" syslog messages?
OK, the answer is "Yes it is".
I found time to have a tinker...
If you have nothing configured for syslog in the VSAM (vCenter Server Appliance Manager), then the syslog.conf file will be empty.
So first step create the initial configuration in VSAM, set a address for the target syslog server, port number (514) and protocol. I used 'UDP'.
Then syslog.conf will have something like this in it:
*.* @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format |
Edit syslog.conf and change the '*.*' to a list of the levels required, e.g.:
*.error;*.crit;*.alert @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format |
The rsyslog service will need restarting:
systemctl restart rsyslog |
If you want to test it you can do something like:
logger -p syslog.info "Info test - this won't appear at syslog server" logger -p syslog.warn "Warn test - this won't appear at syslog server" logger -p syslog.error "Error test - this will appear at syslog server" logger -p syslog.crit "Crit test - this will appear at syslog server" |
Warning: Do make any changes to syslog configuration via VSAM from this point on. It will remove the manually entered configuration.
It might be a good idea to keep a copy of the syslog.conf file just in case.
Is it possible to fine tune the behaviour of Syslog on VCSA 6.5 by adding a configuration to "/etc/vmware-syslog/syslog.conf"?
At the moment this appears to be completely empty? Is the file perhaps ignored anyway?
OK, the answer is "Yes it is".
I found time to have a tinker...
If you have nothing configured for syslog in the VSAM (vCenter Server Appliance Manager), then the syslog.conf file will be empty.
So first step create the initial configuration in VSAM, set a address for the target syslog server, port number (514) and protocol. I used 'UDP'.
Then syslog.conf will have something like this in it:
*.* @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format |
Edit syslog.conf and change the '*.*' to a list of the levels required, e.g.:
*.error;*.crit;*.alert @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format |
The rsyslog service will need restarting:
systemctl restart rsyslog |
If you want to test it you can do something like:
logger -p syslog.info "Info test - this won't appear at syslog server" logger -p syslog.warn "Warn test - this won't appear at syslog server" logger -p syslog.error "Error test - this will appear at syslog server" logger -p syslog.crit "Crit test - this will appear at syslog server" |
Warning: Do make any changes to syslog configuration via VSAM from this point on. It will remove the manually entered configuration.
It might be a good idea to keep a copy of the syslog.conf file just in case.
Does the level of control over syslog improve (or even change at all) in VCSA v6.7?
How does one provide feedback (in for format of improved documentation) to VMware? I spent hours chasing my tail about the keyword "only" being misused, as in your pdf and this online doc: Redirect vCenter Server Appliance Log Files to Another Machine
I don't know the answer to your question. I wound I'd suggest opening a topic of your own though as people might not notice your query appended to the end of my topic.
I am at VMWorld 2018 in Las Vegas right now, so might be able to get an answer here. I think the response though is likely to be similar to the answer I got about a detail I wanted confirmed, which was to raise a support request.
No it does not. It's the same. It appears the devs moved it out of the UI on purpose. Why, I don't know.