ESX/VMware Syslog Collector

Installation Defaults
Install vSphere Syslog Collector to: C:\Program Files (x86)\VMware\VMware Syslog Collector\

vSphere Syslog Collector Configuration: C:\Documents and Settings\All Users\Application Data\VMware\VMware Syslog Collector\Data\ C:\syslog\
 * Repository directory:
 * 1) I like to change to:
 * Size of log file before rotation: 2MB
 * Log rotations to keep: 8 (I like to change to 30)

vSphere Syslog Collector Server Port: 514 (TCP Protocol and UDP Protocol)

vSphere Syslog Collector Server SSL Port: 1514 (Secure connection (SSL))

Configure ESXi 5.0 Server
Display the existing 5 configuration options on the host using the command: esxcli system syslog config get

Default settings: Default Rotation Size: 1024 Default Rotations: 8 Log Output: /scratch/log Log To Unique Subdirectory: false Remote Host:

Set new host configuration, specifying options to change, using a command similar to:

for i in default-rotate default-size logdir loghost ; do esxcli system syslog config set --reset $i ; done esxcli system syslog config set --default-size=1024 --default-rotate=8 --logdir=/scratch/log --logdir-unique=false
 * 1) reset to defaults

Remote log hosting: esxcli system syslog config get
 * 1) Get configuration

esxcli system syslog config set --loghost=esxlogger
 * 1) to configure remote syslog using TCP on port 514:
 * 2) esxcli system syslog config set --loghost='tcp://10.10.47.100:514'
 * 3) esxcli system syslog config set --loghost=10.10.47.100

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true esxcli network firewall refresh
 * 1) may need to adjust the firewall too

esxcli system syslog reload
 * 1) After making configuration changes, load the new configuration using the command:

Example of configured setup: Local Log Output: Local Logging Default Rotation Size: 1024 Local Logging Default Rotations: 8 Log To Unique Subdirectory: false Remote Host: esxlogger.oeey.com
 * 1) esxcli system syslog config get

These can also be set from the GUI:
 * vSphere Client GUI > Configuration > Software > Advanced Settings > Syslog.global.logHost
 * vSphere Client GUI > Configuration > Software > Security Profile > Firewall > syslog

Send message: esxcli system syslog mark --message="this is a message"
 * 1) normally logged to /var/log/vmkernel.log and /var/log/syslog.log and /var/log/*.log too!

You can also test sending a message with: nc 10.10.47.100 514 telnet 10.10.47.100 514 ... message ...

VCSA check service: /etc/init.d/syslog-collector status /etc/syslog-ng/syslog-collector.conf References:
 * 1) config file:
 * vSphere Documentation Center - Logging in vSphere 5.0
 * VMware KB: Configuring syslog on ESXi 5.0 - http://kb.vmware.com/kb/2003322