Changing VMware ESXi settings to enable centralized logging is a straightforward process that can help you avoid...
losing ESXi syslog messages after a problem occurs in your data center. If the default settings are not changed, the locally-stored logs may not be available if the host encounters a problem and will clear after a reboot – leaving you without valuable log information.
More on VMware ESXi syslog
Forwarding event logs to a centralized logging system for compliance
Collecting diagnostic data and logging for VMware environments.
Storing VMware ESXi syslog events on a remote Linux server
I have already described how to set up a centralized logging host to secure VMware ESXi syslog events on a remote Linux server. Now, you need to instruct ESXi hosts to send all log messages to that remote host.
Finding and changing ESXi syslog preferences
You can access ESXi syslog messages from the vSphere Client interface in two ways. The Eventstab on a selected host shows all events that were logged, including the target host to which the events were logged. After opening a log message from the interface, you can see event details, including related events, which may help you find out what happened.
Another interface to the log messages is available via the View > Administration menu. In there, you'll find the System Logs option, which permits access to three log files on the selected host:
- /var/log/hostd.log: You can find messages that are specific to the host;
- /var/log/vmkernel.log: This file houses messages that are generated by the vmkernel; and
- /var/log/vpxa.log: This file contains log messages from the vCenter agent.
It might not always be clear which log file will contain the information you’re looking for. But there are only three relevant files, so it shouldn’t be too difficult to find the messages for specific events.
To configure the settings to enable centralized logging, use the vSphere Client to select an ESXi host. From there, select the Configuration tab. Next, click Advanced Settings, which opens a window with multiple advanced settings that relate to the ESXi host you've selected. From there, click Syslog to see options that apply to logging events on your computer.
By default, ESXi stores all its logs to localhost, which is the local machine itself. To specify the name of a remote log host, select Syslog.global.logHost from the Syslog main menu entry and specify the uniform resource identifier (URI) of where the messages need to be sent. In this URI, specify the protocol (Transmission Control Protocol or User Diagram Protocol), followed by the host name or address and the associated port number (e.g., udp://192.168.1.62:514). After changing this parameter, click OK to activate it. From this moment on, host will send messages to the remote syslog host for centralized logging purposes.
Other ESXi syslog options
Most of the other parameters that you'll find under the Advanced > Syslog tab relate to logging settings for the local host. One useful parameter is Syslog.global.logDirUnique, located directly under the Syslog properties. Enable this option to create a separate subdirectory on the log server that is based on the host name. Creating separate subdirectories for all hosts will make it much easier to find the logs for a specific host.
There are some other ESXi syslog related options under the global and loggers sections, but these are relevant only if you handle logging locally on the ESXi service. Once you've set up remote centralized logging for your environment, you won't need to change these options.