Sunday, 20 December 2015

Configure Remote Syslog for ESXi host

Written by Suhas Savkoor

When you have installed and set-up an ESXi host, you would have configured a scratch location for all the host logging to go to. The configuration might have been done on the local datastore or a SAN.
You can also preserve your host logging on to a remote machine as well, configure host log rotation to retain logs for a longer time by using syslog. 

Here, I am going to configure my host logging in such a way that all the ESXi logging must go to a remote machine, in my case, a vCenter Windows machine. 

Step 1:

Installing the Syslog Collector:

From the ISO that you installed your vCenter Server, you will have an option for Syslog Collector. 

Go Next and accept the EULA

Once you go next, you get an option to configure a couple of things:

  • First, where you want the syslog collector to be installed
  • Second, where the syslog data logging to be configured to
  • Log rotation file size for the host logs which will be created in a .txt format
  • And how many log rotations to be retained. 

So basically, once the syslog text file reaches the rotate constraint, which by default is 2 MB, it will be zipped and the new logging will be done in a new text file. And 8 rotated zipped files will be retained at one time.

Choose a type of installation that is required and go Next

The default TCP and UDP port being used for syslog is 514, give a custom port if required. If you are using a custom port, then document it, as it would be necessary for configuration.

You can choose how your syslog should be identified on the network by either the vCenter IP/FQDN

Click Next > Install and Finish once the installation is complete. 

Step 2:

Once the syslog collector is installed, it is then time to configure syslog for the required ESXi host. 

Take a SSH session to the host that requires the syslog configuration to be done. Run the following command:

This will tell the current logging configuration of the ESXi host. The output is something as below:

Notice that I do not have Remote Host syslog configuration done yet. 

Next, run the following command to configure syslog to the required machine on a required protocol and port:

For udp:

For tcp:

If you are using a custom port, then specify that custom port in the above command. 

Next, Run the command to perform a syslog reload for the changes to take effect:

Now, you may need to manually open the Firewall rule set for syslog when redirecting logs. For this, we need to set a syslog rule-set in the defined firewall rules and reload the changes.

Now, let's check the directory to see if syslog is available for the host. 

The log file is created and when you review the syslog configuration for the host, you can now see the remote server IP.