I was recently asked if it was possible to forward vCenter Server logs to a regular syslog server and if so, how difficult would it be to setup? I had researched this topic several years back, but did not find an ideal solution as vCenter Server was only available on the Windows platform and vCenter Server itself did not provide any syslogging capabilities. With the release of vSphere 5.0, VMware introduced the VCSA (vCenter Server Appliance) and realized I never revisited this question for the VCSA.
After a bit of digging, I found that the VCSA comes installed with syslog-ng by default which is used to provide the vSphere Syslog Collector functionality as well as the local syslog client for the VCSA itself. Given this information, it was pretty trivial to source the local /var/log/vmware/vpx/vpxd.log (symlink to latest vCenter Server log as well as other important vCenter logs) and automatically forward that to a remote syslog server.
VCSA Syslog Configuration
You will need to edit the following configuration file on the VCSA - /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):
# vpxd source log source vpxd { file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse)); file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse)); file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse)); file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse)); file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse)); }; # Remote Syslog Host destination remote_syslog { udp("172.30.0.45" port (514)); }; # Log vCenter Server vpxd log remotely log { source(vpxd); destination(remote_syslog); };
Note: If you are interested in more details about "sourcing" a local log, take a look at this article here which I used as a reference.
Once you have saved the configuration file, you just need to restart the syslog client by running the following command:
service syslog restart
If you login to your remote syslog server, you should now see that your VCSA is forwarding it's vpxd logs over. Pretty simple, right? 🙂 You can of course forward over other vCenter Server logs by adding additional source files. The main key is that there is a symlink that automatically points to the latest log file which you map as the source file.
I am sure many of you are probably asking what about vCenter Server for Windows? Well, I did also looked into a similar solution but it's a bit more complex than just adding a few configuration entries.
Windows vCenter Server Syslog Configuration
Disclaimer: This is not supported by VMware, please use at your own risk.
There are a few challenges with the Windows version, by default there are no syslog clients installed and there is no automatic symlink to the latest vCenter Server log. Having said that, you can still get the above solution working using the free syslog-ng, but it takes a few more steps. The solution will be leveraging Cygwin, so we can run the free version of syslog-ng on a Windows system.
Step 1 - Install Cygwin and configure syslog-ng service on your vCenter Server as described in this article. You will need to add an additional package which is "Admin/Cron" that will be used in the subsequent steps. In the example, I ran syslog-ng under default system account, but if you need to run it under a different user, you may find these two articles to be helpful
- http://linux.subogero.com/894/cron-on-cygwin/
- http://www.davidjnice.com/articles/cygwin_cron-service.html
Step 2 - Just as before, we will need to edit /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):
# vpxd source log source vpxd { file("/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs/vpxd.log" follow_freq(1) flags(no-parse)); }; # Remote Syslog Host destination log_additional_remote_syslog { udp("172.30.0.45" port (514)); }; # Log vCenter Server vpxd log remotely log { source(vpxd); destination(log_additional_remote_syslog); };
You will notice this time, we are accessing the Windows C drive by using the /cygdrive path
Step 3 - As mentioned earlier, there is no symlink that points to the latest vCenter Server log, which makes it difficult to map to static log file. What we can do is basically identify the latest vpxd-#.log and automatically create a symlink and that is what is being monitored by syslog-ng to forward the log. We will be using a cronjob and a very simple shell script.
You can place the script in the current home directory /home/Administrator (or whatever default user you happen to have installed Cygwin on)
Here is the shell script which I have called latest.sh:
#!/bin/bash VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs" LATEST=$(ls -tr "/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs/" | grep "vpxd-[0-9]*.log" | grep -v ".gz" | tail -1) if [ ! -e "${VC_LOG_PATH}/vpxd.log" ]; then touch "${VC_LOG_PATH}/vpxd.log" fi ln -sf "${VC_LOG_PATH}/${LATEST}" "${VC_LOG_PATH}/vpxd.log"
Make sure to set the script to be executable: chmod +x latest.sh
Step 4 - Create a cronjob which will run every minute (you might be able to set a longer delay depending on your environment and it's rotation frequency) by editing the following file /var/cron/tabs/Administrator or using crontab -e
Step 5 - Start or restart syslog-ng by running one of the following commands:
Start - cygrunsrv -S syslog-ng
Restart - cygrunsrv -E syslog-ng;cygrunsrv -S syslog-ng
If everything was successful, you should start seeing your vCenter Server logs from your Windows system forward to your remote syslog server. When the latest vpxd-#.log changes, the cronjob will automatically take care of re-linking to the latest vpxd-#.log to ensure you continue forwarding your vCenter Server logs.
As you can see, it is not trivial to set this up for the Windows vCenter Server as it is for the VCSA, but you now have a way to centrally store all your important vCenter Server logs for archival or analysis purposes without having to manually copy them off to a remote volume.
Few additional notes:
- I believe the paid version of syslog-ng supports file globbing, so you do not need to setup a cronjob and just watch for all vpxd-*.log, but in this example, I went with a completely free solution
- You might also be able to leverage Splunk to monitor vCenter Server logs as noted in this Splunkbase entry, but I have not verified and I am not sure if you have to pay for this feature in Splunk
- Here is an easier way of forwarding vCenter Server logs on Windows using Snare by Raphael Schitz.
Anonymous says
for information
if you remove "flags(no-parse)" in the source you obtain better format handling with correct time interpretation
Stu says
Removing it also stopped it from echoing at the remote-syslog's console (running syslog-ng v3.2 on RHEL6.4). Which was REALLY annoying given how verbose vcenter is.
Anonymous says
In the file /etc/syslog-ng/syslog-ng.conf there exists the following:
#destination logserver { udp("10.10.10.10" port(514)); };
#log { source(src); destination(logserver); };
All you need to do is replace the IP address and uncomment the lines. Of course, restart the service.
Árpád Kunszt says
That is only for the OS logs, not the vCenters logs. I looked at the syslog-ng.conf and I didn't saw a reference to the /var/log/vmware, so the vcenter writes it owns logs, not using the syslog server.
If you want to see the vcenters logs (which is probably you want to see) you have to source the logs as it's written above.
The files aren't in standard syslog format so the flags(no-parse) is necessary.
Clayton Dukes says
Hi,
I am the author of LogZilla (a centralized syslog server).
I've added documentation on how to properly format VCenter logs on the receiving end so that they look like real syslog events. Feel free to use it:
https://www.assembla.com/spaces/LogZillaWiki/wiki/Properly_Formatting_VMWare_VCenter_Events
Virgil (@virgilwashere) says
More logs to include on the VCSA:
source vcsa_more {
file("/var/log/ldapmessages" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vpx/ls.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vpx/jointool.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vpx/vsm.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vpx/sps/sps.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vpx/cim-diag.log" log_prefix("vcsa: ") follow_freq(1) flags(no-parse));
};
source vmware-sso {
file("/var/log/vmware/sso/ssoAdminServer.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/sso/lookupServer.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vmdird/vdcpromo.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vmdird/vdcsetupIdu.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vmkdcd/vmkdcd.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/sso/vmware-sts-idmd.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/sso/utils/sso_servicecfg.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/sso/utils/vi-regtool.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/sso/utils/vmware-stsd.log" log_prefix("sso: ") follow_freq(1) flags(no-parse));
};
source vsphere-client {
file("/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vsphere-client/logs/byUser/*protected email*" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vsphere-client/logs/byUser/noUser.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vsphere-client/logs/byUser/_unknown_user_.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vsphere-client/eventlogs/eventlog.log" log_prefix("vsphere-client: ") follow_freq(1) flags(no-parse));
};
source vami {
file("/opt/vmware/var/log/vami/vami.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
file("/opt/vmware/var/log/vami/vami-ovf.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
file("/opt/vmware/var/log/vami/vami-sfcb.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vami/vcva-web-ui.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vami/storage-page.out.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
file("/var/log/vmware/vami/cmdpool-web-ui.log" log_prefix("vami: ") follow_freq(1) flags(no-parse));
};
# Remote Syslog Host
destination remote_syslog {
udp("192.168.5.14" port (514));
};
log {
source(vcsa);
source(vcsa_more);
source(vmware-sso);
source(vsphere-client);
source(vami);
destination(remote_syslog);
};
Matjaz Antloga says
Superb. Exactly what I needed.
Small correction: you should delete that from syslog-ng.conf file
Matjaz Antloga says
Sorry, delete " ", it causes error when starting service
Matjaz Antloga says
[b] [/b] .... 🙂
Jason says
Do you have something like this for the View Access Point appliances? I'm trying to piece it together from this article, but so far no luck.
eatinglogic says
This procedure doesn't seem to work for me with VCSA 6.0 U2. I'm trying to send my logs to SexiLog (ELK stack appliance for vSphere logging), but nothing seems to be getting sent. The SexiLog docs say to use the Log Insight method of sending the VCSA logs to elasticsearch/logstash as regular syslog forwarding, same method as you're showing here:
http://www.sexilog.fr/rtfm/
http://pubs.vmware.com/log-insight-20/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-ABB7293F-5978-478D-AD57-BBC5E1E60B0E.html
eatinglogic says
It looks like they've updated their documentation with some new documentation for Log Insight 3.3 : http://pubs.vmware.com/log-insight-33/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-DAF51E95-FC9C-409E-9F72-03E5D6B10A9E.html
Gopi says
Did you get it working with sexilog finally? I am still trying to figure it out with 6.0
Gopi says
To make it more clear, the sexilog instructions works fine with Windows vCenter 6.0. But the vCenter appliance instructions doesn't work. Still looking.
Gopi says
I can get the ESXi logs send to sexilog & rsyslog (redhat7) successfully. But the vCenter appliance 6 log files will not go to either of them. I am using UDP 514 on both ESXi and vCenter Appliance. Any help here will be appreciated.
Gopi says
found the answer, http://everythingshouldbevirtual.com/logstash-vcsa-6-0
Peter Ziobrzynski says
Thanks Ghetto! Such an essential service to send logs of the most critical server in most of today's datacenters to the central syslog server. How VMware missed that for so long and now even VCSA has to be hacked to get it working.
Just installed syslog-ng on my w2k12r2 vcenter 6u2 and here are updates for vsphere 6 on log location and syslog-ng.conf and latest.sh log link cron job. Also added one more log file to forward to the syslog - pvxd-alert.log:
PZI-VC-1+Administrator@pzi-vc-1:/etc/syslog-ng$ cat syslog-ng.conf
#############################################################################
# Default syslog-ng.conf file which collects all local logs into a
# single file called /var/log/messages.
#
@version: 3.2
@include "scl.conf"
source s_local {
system();
internal();
};
source s_vmware_vpxd1 {
file("/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/vpxd.log" follow_freq(1));
};
source s_vmware_vpxd2 {
file("/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/vpxd-alert.log" follow_freq(1));
};
source s_network {
udp();
};
destination d_local {
file("/var/log/messages");
};
destination d_network {
udp("192.168.77.4" port(514));
};
log {
source(s_local);
# uncomment this line to open port 514 to receive messages
#source(s_network);
destination(d_network);
};
log {
source(s_vmware_vpxd1);
source(s_vmware_vpxd2);
# uncomment this line to open port 514 to receive messages
#source(s_network);
#destination(d_local);
destination(d_network);
};
PZI-VC-1+Administrator@pzi-vc-1:~$ cat latest.sh
#!/bin/bash
set -x
#VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/VMware VirtualCenter/Logs"
VC_LOG_PATH="/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx"
LATEST=$(ls -tr "/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/" | grep "vpxd-[0-9]*.log" | grep -v ".gz" | tail -1)
LATESTA=$(ls -tr "/cygdrive/c/ProgramData/VMware/vCenterServer/logs/vmware-vpx/" | grep "vpxd-alert-[0-9]*.log" | grep -v ".gz" | tail -1)
if [ ! -e "${VC_LOG_PATH}/vpxd.log" ]; then
touch "${VC_LOG_PATH}/vpxd.log"
fi
ln -sf "${VC_LOG_PATH}/${LATEST}" "${VC_LOG_PATH}/vpxd.log"
if [ ! -e "${VC_LOG_PATH}/vpxd-alert.log" ]; then
touch "${VC_LOG_PATH}/vpxd-alert.log"
fi
ln -sf "${VC_LOG_PATH}/${LATESTA}" "${VC_LOG_PATH}/vpxd-alert.log"
Schorschi says
Can you update this blog to qualify it for vCSA 6.5? It appears much has changed, the documented steps do not appear to be applicable to vCSA 6.5?
Tiara says
I add the SSO log in syslog-ng.conf, but it doesn't work, is there any suggestion?