Now that VMware offers an ESXi only platform in vSphere 5.0, there are logging decisions to be considered which were a non-issue on the ESX platform. Particularly with boot from SAN, boot from flash, or stateless hosts where logs can’t be stored locally on the host with no scratch partition due to not having local storage. Some shops use Splunk as a Syslog server. Other bloggers such as Simon Long have identified in the past how to send logs to the vMA appliance. Centralized management of anything is almost always a good thing and the same holds true for logging.
New in the vCenter 5.0 bundle is a Syslog server which can be integrated with vCenter 5.0. I’m going to go through the installation, configuration, and then I’ll have a look at the logs.
Installation couldn’t be much easier. I’ll highlight the main steps. First launch the VMware Syslog Collector installation:
The setup routine will open Windows Firewall ports as necessary. Choose the appropriate drive letter and path installation locations. Note the second drive letter and path specifies the location of the aggregated syslog files from the hosts. Be sure there is enough space on the drive for the log files, particularly in medium to large environments:
Choose the VMware vCenter Server installation (this is not the default type of installation):
Provide the location of the vCenter Server as well as credentials to establish the connection. In this case I’m installing the Syslog server on the vCenter Server itself:
The Syslog server has the ability to accept connections on three different ports:
- UDP 514
- TCP 514
- Encrypted SSL 1514
There’s an opportunity to change the default listening ports but I’ll leave them as is, especially UDP 514 which is an industry standard port for Syslog communications:
Once the installation is finished, it’s ready to accept incoming Syslog connections from hosts. You’ll notice a few new items in the vSphere Client. First is the VMware Syslog Collector Configuration plug-in:
Next is the Network Syslog Collector applet:
It’s waiting for incoming Syslog connections:
Now I’ll a configure host to send its logs to the vCenter integrated Syslog server. This is fairly straightforward as well and there are a few ways to do it. I’ll identify two.
In the vCenter inventory, select the ESXi 5.0 host, navigate to the Configuration tab, then Advanced Settings under Software. Enter the Syslog server address in the field for Syslog.global.logHost. The format is <protocol>://<f.q.d.n>:port. So for my example: udp://vcenter50.boche.mcse:514. This field allows multiple Syslog protocols and endpoints separated by commas. I could write split the logs to additional Syslog server with this entry: udp://vcenter50.boche.mcse:514, splunk.boche.mcse, ssl://securesyslogs.boche.mcse:1514. In that example, logs are shipped to vcenter50.boche.mcse and splunk.boche.mcse over UDP 514, as well as to securesyslogs.boche.mcse over 1514. Another thing to point out on multiple entries.. there is a space after each comma which appears to be required for the host to interpret multiple entries properly:
There are many other Syslog loggers options which can be tuned. Have a look at them and configure your preferred logging appropriately.
Another method to configure and enable syslog on an ESXi 5 host would be to use esxcli. The commands for each host look something like this:
~ # esxcli system syslog config set –loghost=192.168.110.16
~ # esxcli system syslog reload
Now I’ll ensure outbound UDP 514 is opened on the ESXi 5.0 firewall. If the Syslog ports are closed, logs won’t make it to the Syslog server:
Back to the vCenter (Syslog) Server, you’ll see a folder for each host sending logs to the Syslog server:
And here come the logs:
The same logs are going to the Splunk server too:
This is what the logs look like in Splunk. It’s a very powerful tool for centrally storing logs and then querying those logs using a powerful engine:
And since this host actually has local disk, and as a result a scratch partition, the logs natively go to the scratch partition:
Notice the host I configured is also displayed in the Network Syslog Collector along with the general path to the logs as well as the size of each host’s respective log file (I’ve noticed that it sometimes requires exiting the vSphere Client and logging back in before the hosts show up below):
Earlier I mentioned that I’d show a second way to configure Syslog on the ESXi host. That method is much easier and comes by way of leveraging host profiles. Simply create a host profile and add the Syslog configuration to the profile. Of course this profile can be used to deploy the configuration to countless other hosts which makes it a very easy and powerful method to deploy a centralized logging configuration:
For more information, see VMware KB 2003322 Configuring syslog on ESXi 5.0.