Collecting ESXi Logs By rsyslog

You know that you can use VMware Syslog Collector for organizing your ESXi servers logs or vCenter logs and also you can user vRealize Log Insight for monitor and analyze your logs but what if you don’t want to use them and you want to use open-source solution or you have Syslog server and you want redirect your logs to that.

I want to explain rsyslog configurations for collecting ESXi logs on a Linux machine in this post.

As the first step, you need to install rsyslog on your Linux distribution. I’m using rsyslog 5.8 on RHEL 6.6.

The configuration is so easy, you need to find the below lines and change them same as the below or add the below lines in “/etc/rsyslog.conf”:

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514

Now, you need to create a configuration file in this path: “/etc/rsyslog.d/”

For example: “/etc/rsyslog.d/esxi.conf”

Then add the below lines to the configuration file:

#Daily Template
$template Daily,"/var/log/esxi/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%-message.log"
#Rule
:fromhost-ip, startswith, "x.x.x.x" -?Daily

Replace “x” with your IP address range.

Actually, we have created a template for log forwarding and formatting.

The ESXi logs that they are forwarded to the Syslog server will be stored as a log file like this:

/var/log/esxi/192.168.1.1/2016-08-25-message.log

You can also create other templates, if you want to storing your log files with different format.

The second configuration file will be initialized by rsyslog service and apply on incoming logs.

Hope, this post help you to collecting your logs from ESXi servers and organizing them.

Davoud Teimouri

Professional blogger, vExpert 2015/2016/2017/2018/2019/2020/2021/2022/2023, vExpert NSX, vExpert PRO, vExpert Security, vExpert EUC, VCA, MCITP. This blog is started with simple posts and now, it has large following readers.

Leave a Reply

Your email address will not be published. Required fields are marked *