Logging is a crucial aspect of maintaining a healthy vSphere environment. Centralizing logs from vCenter and ESXi hosts on a remote syslog server can streamline monitoring and troubleshooting tasks. In this guide, we will walk you through the process of configuring remote syslog for your vSphere setup using Ubuntu as the syslog server and rsyslog as the syslog daemon.
Table of Contents
Setup rsyslog in Ubuntu
- Install rsyslog – First, ensure that rsyslog is installed on your Ubuntu server. You can install it using the following command:
sudo apt-get install rsyslog
- Start and Enable rsyslog – Start and enable the rsyslog service to ensure it runs at boot:
sudo systemctl start rsyslog sudo systemctl enable rsyslog
Configuring the rsyslog Configuration
- Edit the rsyslog Configuration File – Open the rsyslog configuration file in a text editor:
sudo nano /etc/rsyslog.conf
- Configure rsyslog to Accept Remote Logs – Uncomment or add the following lines to allow rsyslog to receive remote logs:
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514
- Configure rsyslog Template – Add the following lines to the rsyslog configuration file to specify a custom template for incoming logs:
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log" *.* ?remote-incoming-logs & ~
- Save and Restart rsyslog – Save the configuration file and restart rsyslog to apply the changes:
sudo systemctl restart rsyslog
- Set Firewall Rule – Run the below command to set the firewall rule in Ubuntu for rsyslog
sudo ufw allow 514/udp sudo ufw allow 514/tcp
Configure the Syslog for vCenter
- Log in to the VCSA management interface (https://vcsa-ip-address:5480).
- Navigate to “Configure” > “Advanced Settings.”
- Search for the “Syslog” settings.
- Enter the IP address or hostname of the remote syslog server.
- Set the protocol (UDP or TCP) and port (default is 514) to match your rsyslog configuration.
- Click “Save Settings.”
Configure the Syslog for ESXi
Configuring syslog on your ESXi host is essential for centralized log management. In this guide, we will configure syslog for ESXi using the
esxcli command-line tool. This method allows you to specify a remote syslog server and enable the necessary firewall rules for syslog traffic.
Please ensure that you have SSH access to your ESXi host before proceeding with these commands.
- Set the Syslog Server – Use the following
esxclicommand to set the syslog server to your desired remote syslog server address. Replace
192.168.0.229with the IP address of your syslog server:
esxcli system syslog config set --loghost=udp://192.168.0.229:514
- This command configures the ESXi host to send syslog messages to the specified remote server using UDP on port 514.
- Enable the Firewall Rules for Syslog – To allow syslog traffic through the ESXi firewall, use the following
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true esxcli network firewall refresh
- The first command enables the firewall ruleset named “syslog,” allowing syslog traffic.
- The second command refreshes the firewall rules to apply the changes immediately.
- Verify the Configuration – You can verify the syslog configuration by checking the current settings using the
esxcli system syslog config get
You have successfully configured syslog for your ESXi host using
esxcli commands. Syslog messages will now be sent to the specified remote syslog server, allowing you to centralize log management and enhance monitoring and troubleshooting capabilities in your virtual environment.