VMware Cloud Community
StephenMoll
Expert
Expert
‎05-16-2018 06:16 AM
Jump to solution

VCSA Syslog Reporting Levels

From https://docs.vmware.com/en/VMware-vSphere/6.5/vsphere-esxi-vcenter-server-65-appliance-configuration... we get the following, concerning the syslog level that is sent by VCSA to an external Syslog server.

With the current "*" setting, we are getting far more messages than we want, and we would only really like VCSA to send Syslog messages at level "error" and above. My reading of the configuration guide suggests that setting the level to "error" won't do this. It will quite literally only allow Syslog messages at error level to be sent. This seems wrong to me, so I firstly wanted to confirm what actually happens. Will VCSA send only error syslog messages, or will it send "crit", "alert" and "emerg" ones too?

3 From the Common Log Level drop-down menu select the log files to redirect.

OptionDescription
*All log files are redirected to the remote machine.
infoOnly informational log files are redirected to the remote machine.
noticeOnly notices are redirected to the remote machine. Notice indicates normal but significant condition.
warnOnly warnings are redirected to the remote machine.
errorOnly error messages are redirected to the remote machine.
critOnly critical log files are redirected to the remote machine.
alertOnly alerts are redirected to the remote machine. Alert indicates that action must be taken immediately.
emergOnly emergency log files are redirected to the remote machine. Emergency indicates that the system stopped responding and cannot be used.

If my interpretation is correct, is there a way to get VCSA to send the multiple levels required I.e. to send all "error", "crit", "alert" and "emerg" syslog messages?

1 Solution

Accepted Solutions
StephenMoll
Expert
Expert
‎06-06-2018 09:06 AM
Jump to solution

OK, the answer is "Yes it is".

I found time to have a tinker...

If you have nothing configured for syslog in the VSAM (vCenter Server Appliance Manager), then the syslog.conf file will be empty.

So first step create the initial configuration in VSAM, set a address for the target syslog server, port number (514) and protocol. I used 'UDP'.

Then syslog.conf will have something like this in it:

*.* @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format

Edit syslog.conf and change the '*.*' to a list of the levels required, e.g.:

*.error;*.crit;*.alert @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format

The rsyslog service will need restarting:

systemctl restart rsyslog

If you want to test it you can do something like:

logger -p syslog.info "Info test - this won't appear at syslog server"

logger -p syslog.warn "Warn test - this won't appear at syslog server"

logger -p syslog.error "Error test - this will appear at syslog server"

logger -p syslog.crit "Crit test - this will appear at syslog server"

Warning: Do make any changes to syslog configuration via VSAM from this point on. It will remove the manually entered configuration.

It might be a good idea to keep a copy of the syslog.conf file just in case.

View solution in original post

6 Replies
StephenMoll
Expert
Expert
‎05-18-2018 02:50 AM
Jump to solution

Is it possible to fine tune the behaviour of Syslog on VCSA 6.5 by adding a configuration to "/etc/vmware-syslog/syslog.conf"?

At the moment this appears to be completely empty? Is the file perhaps ignored anyway?

0 Kudos
StephenMoll
Expert
Expert
‎06-06-2018 09:06 AM
Jump to solution

OK, the answer is "Yes it is".

I found time to have a tinker...

If you have nothing configured for syslog in the VSAM (vCenter Server Appliance Manager), then the syslog.conf file will be empty.

So first step create the initial configuration in VSAM, set a address for the target syslog server, port number (514) and protocol. I used 'UDP'.

Then syslog.conf will have something like this in it:

*.* @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format

Edit syslog.conf and change the '*.*' to a list of the levels required, e.g.:

*.error;*.crit;*.alert @192.168.1.1:514;RSYSLOG_SyslogProtocol23Format

The rsyslog service will need restarting:

systemctl restart rsyslog

If you want to test it you can do something like:

logger -p syslog.info "Info test - this won't appear at syslog server"

logger -p syslog.warn "Warn test - this won't appear at syslog server"

logger -p syslog.error "Error test - this will appear at syslog server"

logger -p syslog.crit "Crit test - this will appear at syslog server"

Warning: Do make any changes to syslog configuration via VSAM from this point on. It will remove the manually entered configuration.

It might be a good idea to keep a copy of the syslog.conf file just in case.

StephenMoll
Expert
Expert
‎06-11-2018 03:29 AM
Jump to solution

Does the level of control over syslog improve (or even change at all) in VCSA v6.7?

0 Kudos
Alfaj0r
Contributor
Contributor
‎08-07-2018 07:10 PM
Jump to solution

How does one provide feedback (in for format of improved documentation) to VMware? I spent hours chasing my tail about the keyword "only" being misused, as in your pdf and this online doc: Redirect vCenter Server Appliance Log Files to Another Machine

0 Kudos
StephenMoll
Expert
Expert
‎08-26-2018 03:07 PM
Jump to solution

I don't know the answer to your question. I wound I'd suggest opening a topic of your own though as people might not notice your query appended to the end of my topic.

I am at VMWorld 2018 in Las Vegas right now, so might be able to get an answer here. I think the response though is likely to be similar to the answer I got about a detail I wanted confirmed, which was to raise a support request.

sebringb
Contributor
Contributor
‎07-13-2022 02:35 PM
Jump to solution

No it does not. It's the same. It appears the devs moved it out of the UI on purpose. Why, I don't know.

0 Kudos