WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Uncategorized / Forwarding vCenter Server Logs to a Syslog Server

Forwarding vCenter Server Logs to a Syslog Server

08.01.2012 by William Lam // 24 Comments

I was recently asked if it was possible to forward vCenter Server logs to a regular syslog server and if so, how difficult would it be to setup? I had researched this topic several years back, but did not find an ideal solution as vCenter Server was only available on the Windows platform and vCenter Server itself did not provide any syslogging capabilities. With the release of vSphere 5.0, VMware introduced the VCSA (vCenter Server Appliance) and realized I never revisited this question for the VCSA.

After a bit of digging, I found that the VCSA comes installed with syslog-ng by default which is used to provide the vSphere Syslog Collector functionality as well as the local syslog client for the VCSA itself. Given this information, it was pretty trivial to source the local /var/log/vmware/vpx/vpxd.log (symlink to latest vCenter Server log as well as other important vCenter logs) and automatically forward that to a remote syslog server.

VCSA Syslog Configuration

You will need to edit the following configuration file on the VCSA - /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

# vpxd source log
source vpxd {
       file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse));
};

# Remote Syslog Host
destination remote_syslog {
       udp("172.30.0.45" port (514));
};

# Log vCenter Server vpxd log remotely
log {
        source(vpxd);
        destination(remote_syslog);
};

Note: If you are interested in more details about "sourcing" a local log, take a look at this article here which I used as a reference.

Once you have saved the configuration file, you just need to restart the syslog client by running the following command:

service syslog restart

If you login to your remote syslog server, you should now see that your VCSA is forwarding it's vpxd logs over. Pretty simple, right? 🙂 You can of course forward over other vCenter Server logs by adding additional source files. The main key is that there is a symlink that automatically points to the latest log file which you map as the source file.

I am sure many of you are probably asking what about vCenter Server for Windows? Well, I did also looked into a similar solution but it's a bit more complex than just adding a few configuration entries.

Windows vCenter Server Syslog Configuration

Disclaimer: This is not supported by VMware, please use at your own risk.

There are a few challenges with the Windows version, by default there are no syslog clients installed and there is no automatic symlink to the latest vCenter Server log. Having said that, you can still get the above solution working using the free syslog-ng, but it takes a few more steps. The solution will be leveraging Cygwin, so we can run the free version of syslog-ng on a Windows system.

Step 1 - Install Cygwin and configure syslog-ng service on your vCenter Server as described in this article. You will need to add an additional package which is "Admin/Cron" that will be used in the subsequent steps. In the example, I ran syslog-ng under default system account, but if you need to run it under a different user, you may find these two articles to be helpful

  • http://linux.subogero.com/894/cron-on-cygwin/
  • http://www.davidjnice.com/articles/cygwin_cron-service.html

Step 2 - Just as before, we will need to edit /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

# vpxd source log
source vpxd {
       file("/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs/vpxd.log" follow_freq(1) flags(no-parse));
};

# Remote Syslog Host
destination log_additional_remote_syslog {
       udp("172.30.0.45" port (514));
};

# Log vCenter Server vpxd log remotely
log {
        source(vpxd);
        destination(log_additional_remote_syslog);
}; 

You will notice this time, we are accessing the Windows C drive by using the /cygdrive path

Step 3 - As mentioned earlier, there is no symlink that points to the latest vCenter Server log, which makes it difficult to map to static log file. What we can do is basically identify the latest vpxd-#.log and automatically create a symlink and that is what is being monitored by syslog-ng to forward the log. We will be using a cronjob and a very simple shell script.

You can place the script in the current home directory /home/Administrator (or whatever default user you happen to have installed Cygwin on)

Here is the shell script which I have called latest.sh:

#!/bin/bash

VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs"
LATEST=$(ls -tr "/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs/" | grep "vpxd-[0-9]*.log" | grep -v ".gz" | tail -1)

if [ ! -e "${VC_LOG_PATH}/vpxd.log" ]; then
        touch "${VC_LOG_PATH}/vpxd.log"
fi

ln -sf "${VC_LOG_PATH}/${LATEST}" "${VC_LOG_PATH}/vpxd.log"

Make sure to set the script to be executable: chmod +x latest.sh

Step 4 - Create a cronjob which will run every minute (you might be able to set a longer delay depending on your environment and it's rotation frequency) by editing the following file /var/cron/tabs/Administrator or using crontab -e
Step 5 - Start or restart syslog-ng by running one of the following commands:

Start - cygrunsrv -S syslog-ng
Restart - cygrunsrv -E syslog-ng;cygrunsrv -S syslog-ng

If everything was successful, you should start seeing your vCenter Server logs from your Windows system forward to your remote syslog server. When the latest vpxd-#.log changes, the cronjob will automatically take care of re-linking to the latest vpxd-#.log to ensure you continue forwarding your vCenter Server logs.

As you can see, it is not trivial to set this up for the Windows vCenter Server as it is for the VCSA, but you now have a way to centrally store all your important vCenter Server logs for archival or analysis purposes without having to manually copy them off to a remote volume.

Few additional notes:

  • I believe the paid version of syslog-ng supports file globbing, so you do not need to setup a cronjob and just watch for all vpxd-*.log, but in this example, I went with a completely free solution
  • You might also be able to leverage Splunk to monitor vCenter Server logs as noted in this Splunkbase entry, but I have not verified and I am not sure if you have to pay for this feature in Splunk
  • Here is an easier way of forwarding vCenter Server logs on Windows using Snare by Raphael Schitz.

More from my site

  • A preview of native syslog support in VCSA 6.0
  • How to automate the deployment of an un-configured VCSA 6.5 (Stage 1 only)?
  • vCenter Server High Availability (VCHA) PowerCLI 6.5 community module
  • vCommunity "shorts" on their experiences w/the VCSA Migration
  • VCSA 6.5 CLI Installer now supports new ovftool argument pass-through feature

Categories // Uncategorized Tags // syslog, VCSA, vcva

Comments

  1. *protectedAnonymous says

    11/12/2012 at 9:34 pm

    for information

    if you remove "flags(no-parse)" in the source you obtain better format handling with correct time interpretation

    Reply
    • *protectedStu says

      12/04/2014 at 5:03 pm

      Removing it also stopped it from echoing at the remote-syslog's console (running syslog-ng v3.2 on RHEL6.4). Which was REALLY annoying given how verbose vcenter is.

      Reply
  2. *protectedAnonymous says

    01/30/2013 at 10:11 pm

    In the file /etc/syslog-ng/syslog-ng.conf there exists the following:

    #destination logserver { udp("10.10.10.10" port(514)); };
    #log { source(src); destination(logserver); };

    All you need to do is replace the IP address and uncomment the lines. Of course, restart the service.

    Reply
    • *protectedÁrpád Kunszt says

      09/24/2013 at 7:11 am

      That is only for the OS logs, not the vCenters logs. I looked at the syslog-ng.conf and I didn't saw a reference to the /var/log/vmware, so the vcenter writes it owns logs, not using the syslog server.

      If you want to see the vcenters logs (which is probably you want to see) you have to source the logs as it's written above.

      The files aren't in standard syslog format so the flags(no-parse) is necessary.

      Reply
  3. *protectedClayton Dukes says

    01/02/2014 at 10:32 pm

    Hi,
    I am the author of LogZilla (a centralized syslog server).
    I've added documentation on how to properly format VCenter logs on the receiving end so that they look like real syslog events. Feel free to use it:
    https://www.assembla.com/spaces/LogZillaWiki/wiki/Properly_Formatting_VMWare_VCenter_Events

    Reply
  4. *protectedVirgil (@virgilwashere) says

    05/20/2014 at 5:11 am

    More logs to include on the VCSA:

    source vcsa_more {
    file("/var/log/ldapmessages" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vpx/ls.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vpx/jointool.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vpx/vsm.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vpx/sps/sps.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vpx/cim-diag.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
    };

    source vmware-sso {
    file("/var/log/vmware/sso/ssoAdminServer.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/sso/lookupServer.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vmdird/vdcpromo.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vmdird/vdcsetupIdu.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vmkdcd/vmkdcd.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/sso/vmware-sts-idmd.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/sso/vmware-identity-sts.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/sso/utils/sso_servicecfg.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/sso/utils/vi-regtool.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/sso/utils/vmware-stsd.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
    };

    source vsphere-client {
    file("/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vsphere-client/logs/byUser/*protected email*" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vsphere-client/logs/byUser/noUser.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vsphere-client/logs/byUser/_unknown_user_.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vsphere-client/eventlogs/eventlog.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));

    };

    source vami {
    file("/opt/vmware/var/log/vami/vami.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
    file("/opt/vmware/var/log/vami/vami-ovf.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
    file("/opt/vmware/var/log/vami/vami-sfcb.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vami/vcva-web-ui.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vami/storage-page.out.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
    file("/var/log/vmware/vami/cmdpool-web-ui.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
    };

    # Remote Syslog Host
    destination remote_syslog {
    udp("192.168.5.14" port (514));
    };

    log {
    source(vcsa);
    source(vcsa_more);
    source(vmware-sso);
    source(vsphere-client);
    source(vami);
    destination(remote_syslog);
    };

    Reply
  5. *protectedMatjaz Antloga says

    06/06/2014 at 9:35 am

    Superb. Exactly what I needed.

    Small correction: you should delete that from syslog-ng.conf file

    Reply
  6. *protectedMatjaz Antloga says

    06/06/2014 at 9:37 am

    Sorry, delete " ", it causes error when starting service

    Reply
  7. *protectedMatjaz Antloga says

    06/06/2014 at 9:38 am

    [b] [/b] .... 🙂

    Reply
  8. *protectedJason says

    02/24/2016 at 6:32 am

    Do you have something like this for the View Access Point appliances? I'm trying to piece it together from this article, but so far no luck.

    Reply
  9. *protectedeatinglogic says

    04/19/2016 at 2:19 pm

    This procedure doesn't seem to work for me with VCSA 6.0 U2. I'm trying to send my logs to SexiLog (ELK stack appliance for vSphere logging), but nothing seems to be getting sent. The SexiLog docs say to use the Log Insight method of sending the VCSA logs to elasticsearch/logstash as regular syslog forwarding, same method as you're showing here:

    http://www.sexilog.fr/rtfm/
    http://pubs.vmware.com/log-insight-20/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-ABB7293F-5978-478D-AD57-BBC5E1E60B0E.html

    Reply
    • *protectedeatinglogic says

      04/19/2016 at 2:32 pm

      It looks like they've updated their documentation with some new documentation for Log Insight 3.3 : http://pubs.vmware.com/log-insight-33/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-DAF51E95-FC9C-409E-9F72-03E5D6B10A9E.html

      Reply
      • *protectedGopi says

        05/06/2016 at 6:19 am

        Did you get it working with sexilog finally? I am still trying to figure it out with 6.0

        Reply
        • *protectedGopi says

          05/06/2016 at 6:21 am

          To make it more clear, the sexilog instructions works fine with Windows vCenter 6.0. But the vCenter appliance instructions doesn't work. Still looking.

          Reply
  10. *protectedGopi says

    05/06/2016 at 6:45 am

    I can get the ESXi logs send to sexilog & rsyslog (redhat7) successfully. But the vCenter appliance 6 log files will not go to either of them. I am using UDP 514 on both ESXi and vCenter Appliance. Any help here will be appreciated.

    Reply
  11. *protectedGopi says

    05/06/2016 at 7:33 am

    found the answer, http://everythingshouldbevirtual.com/logstash-vcsa-6-0

    Reply
  12. *protectedPeter Ziobrzynski says

    10/25/2016 at 8:54 am

    Thanks Ghetto! Such an essential service to send logs of the most critical server in most of today's datacenters to the central syslog server. How VMware missed that for so long and now even VCSA has to be hacked to get it working.
    Just installed syslog-ng on my w2k12r2 vcenter 6u2 and here are updates for vsphere 6 on log location and syslog-ng.conf and latest.sh log link cron job. Also added one more log file to forward to the syslog - pvxd-alert.log:

    PZI-VC-1+Administrator@pzi-vc-1:/etc/syslog-ng$ cat syslog-ng.conf
    #############################################################################
    # Default syslog-ng.conf file which collects all local logs into a
    # single file called /var/log/messages.
    #

    @version: 3.2
    @include "scl.conf"

    source s_local {
    system();
    internal();
    };

    source s_vmware_vpxd1 {
    file("/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/vpxd.log" follow_freq(1));
    };
    source s_vmware_vpxd2 {
    file("/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/vpxd-alert.log" follow_freq(1));
    };

    source s_network {
    udp();
    };

    destination d_local {
    file("/var/log/messages");
    };

    destination d_network {
    udp("192.168.77.4" port(514));
    };

    log {
    source(s_local);

    # uncomment this line to open port 514 to receive messages
    #source(s_network);
    destination(d_network);
    };

    log {
    source(s_vmware_vpxd1);
    source(s_vmware_vpxd2);

    # uncomment this line to open port 514 to receive messages
    #source(s_network);
    #destination(d_local);
    destination(d_network);
    };

    PZI-VC-1+Administrator@pzi-vc-1:~$ cat latest.sh
    #!/bin/bash
    set -x

    #VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs"
    VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx"

    LATEST=$(ls -tr "/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/" | grep "vpxd-[0-9]*.log" | grep -v ".gz" | tail -1)
    LATESTA=$(ls -tr "/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/" | grep "vpxd-alert-[0-9]*.log" | grep -v ".gz" | tail -1)

    if [ ! -e "${VC_LOG_PATH}/vpxd.log" ]; then
    touch "${VC_LOG_PATH}/vpxd.log"
    fi
    ln -sf "${VC_LOG_PATH}/${LATEST}" "${VC_LOG_PATH}/vpxd.log"

    if [ ! -e "${VC_LOG_PATH}/vpxd-alert.log" ]; then
    touch "${VC_LOG_PATH}/vpxd-alert.log"
    fi
    ln -sf "${VC_LOG_PATH}/${LATESTA}" "${VC_LOG_PATH}/vpxd-alert.log"

    Reply
  13. *protectedSchorschi says

    01/31/2017 at 10:36 am

    Can you update this blog to qualify it for vCSA 6.5? It appears much has changed, the documented steps do not appear to be applicable to vCSA 6.5?

    Reply
  14. *protectedTiara says

    09/24/2017 at 10:58 pm

    I add the SSO log in syslog-ng.conf, but it doesn't work, is there any suggestion?

    Reply

Trackbacks

  1. Log Insight vSphere Integration | SFlanders.net says:
    02/28/2014 at 3:57 pm

    […] directions on how to manually configure vCenter Server to forward syslog/logs to Log Insight see this […]

    Reply
  2. Syslog Agents on Windows | SFlanders.net says:
    06/10/2014 at 2:29 pm

    […] For an example of how to configure Cygwin to forward vCenter Server events on Windows see: http://www.virtuallyghetto.com/2012/08/forwarding-vcenter-server-logs-to.html […]

    Reply
  3. Sending vCenter Logs to Centralized Syslog Server using NXlog - TheVirtualist says:
    10/30/2014 at 10:51 am

    […] something complicated. There are lots of ways to do that. For example, you can find an article on William Lam's blog, where he describes how you can do that using Cygwin + Syslog-ng. You can even use Windows […]

    Reply
  4. VMware syslog Server Settings | Mr. Vining .com says:
    06/28/2017 at 6:07 am

    […] Forwarding vCenter Server Logs to a Syslog Server […]

    Reply
  5. VCAP6-DCV Deploy Objective 5.3 – Virtual Reality says:
    11/28/2017 at 3:42 am

    […] forwarding logs from a Windows based vCenter, William lam has wrote and excellent article. Feel free to check it […]

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025