WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / How to forward other VCSA 6.5 logs to remote syslog server?

How to forward other VCSA 6.5 logs to remote syslog server?

02.09.2017 by William Lam // 6 Comments

As mentioned in my previous article (which I strongly recommend you review before continuing further), the VCSA 6.5 no longer uses syslog-ng as the syslog client and it has been replaced with rsyslog. This means the instructions outlined in my old article here is no longer valid on forwarding logs from a VCSA 6.5 system to a remote syslog server. Luckily, the process to forward logs within VCSA 6.5 is also pretty straight forward using rsyslog.

Disclaimer: This is not officially supported by VMware, please use at your own risk. For very large environments, forwarding additional logs can potentially impact the vCenter Server service, so please take caution in the logs you decide on forwarding and test in a lab environment before applying this across your environment.

To help provide a concrete example, I will be using a real world scenario that often comes up from customers on auditing failed vSphere Web Client login success/failures as well as SSO user creation, deletion and password changes. The following two log files provides us with this information which we will forward to our syslog server:

  • /var/log/vmware/sso/ssoAdminServer.log - Auditing SSO logins
  • /var/log/vmware/sso/vmware-identity-sts.log - Auditing SSO user changes

We will be making using of rsyslog Text File Input Module (imfile) which will allow us to process local log files in the VCSA.

Step 1 - SSH to the VCSA or PSC and open the following file /etc/rsyslog.conf for editing.

Step 2 - Add following entry towards the top of the file which will load the imfile:

$ModLoad imfile

Step 3 - Add the following right below the "###### Rule declarations ######" section of the rsyslog configuration file and then save your changes.

$InputFileName /var/log/vmware/sso/ssoAdminServer.log
$InputFileTag ssoAdminServer
$InputFileStateFile ssoAdminServer

$InputFileName /var/log/vmware/sso/vmware-identity-sts.log
$InputFileTag ssoIdentitySts
$InputFileStateFile ssoIdentitySts

$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePollInterval 20

Using $InputFileName we specify the log file that we want to forward. The $InputFileTag is the appname that will show up when it is forwarded to your remote syslog server and $InputFileStateFile is the log monitoring file. Rather than polling every 10 seconds, I have changed $InputFilePollInterval to 20 seconds, the default is 10 if you leave it blank. You can find the complete list of imfile options and descriptions in the rsyslog documentation here.

Step 4 - Lastly, we just need to restart the rsyslog service in the VCSA for the changes to go into effect by running the following command:

systemctl restart rsyslog

If everything was configured successfully, we should start to see entries from both ssoAdminServer.log (ssoAdminServer) and vmware-identity-sts.log (ssoStsIdmd) in our syslog server.

Here is an example screenshot of my vRealize Log Insight instance showing an SSO user's password being modified which is captured as part of the ssoAdminServer.log file:


Here is an example screenshot of my vRealize Log Insight instance showing a failed SSO user login which is captured as part of the identity-sts.log file:


Something to be aware of is that some of the logs found in the VCSA may span multiple lines per entry when ingested by the remote syslog server. Below is an example of the ssoAdminServer.log which was not structured for remote syslog consumption. You may want to filter on the appname for example if you want to look for all entries in a particular log file for readability.

More from my site

  • What logs do I get when I enable syslog in VCSA 6.5?
  • Can the VCSA 6.5 forward to multiple syslog targets?
  • Auditing/Logging vCenter Server authentication & authorization activities
  • Quick Tip - Monitoring ESXi remote syslog forwarding
  • Dynamic ESXi firewall rulset for non-standard syslog ports in vSphere 8.0 Update 2b

Categories // Automation, VCSA, vSphere 6.5 Tags // rsyslog, syslog, vSphere 6.5

Comments

  1. *protectedSchorschi says

    02/17/2017 at 6:14 pm

    Seeing the following in the log server...
    Feb 18 02:07:04 vpsc rsyslogd-2212 imfile: no files configured to be monitored - no input will be gathered [v8.15.0 try http://www.rsyslog.com/e/2212 ]

    Reply
  2. *protectedSchorschi says

    02/21/2017 at 9:31 am

    Also see this error sometimes...

    rsyslog.service: Failed with result 'start-limit'

    This does not always happen but service restart rsyslog fails to start when the above happens. Can't seem to find a way to resolve the issue.

    Reply
  3. *protectedSchorschi says

    02/21/2017 at 10:15 am

    More information...
    # systemctl restart rsyslog
    Job for rsyslog.service failed because the control process exited with error code. See "systemctl status rsyslog.service" and "journalctl -xe" for details.
    # systemctl status rsyslog.service
    ● rsyslog.service - System Logging Service
    Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
    Active: failed (Result: start-limit) since Tue 2017-02-21 13:01:50 EST; 29s ago
    Docs: man:rsyslogd(8)
    http://www.rsyslog.com/doc/
    Process: 27049 ExecStart=/usr/sbin/rsyslogd -n $RSYSLOGD_PARAMS (code=exited, status=1/FAILURE)
    Main PID: 27049 (code=exited, status=1/FAILURE)

    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Failed with result 'exit-code'.
    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Service hold-off time over, scheduling restart.
    Feb 21 13:01:50 [redacted]systemd[1]: Stopped System Logging Service.
    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Start request repeated too quickly.
    Feb 21 13:01:50 [redacted]systemd[1]: Failed to start System Logging Service.
    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Unit entered failed state.
    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Failed with result 'start-limit'.
    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Start request repeated too quickly.
    Feb 21 13:01:50 [redacted]systemd[1]: Failed to start System Logging Service.
    Feb 21 13:01:50 [redacted]systemd[1]: rsyslog.service: Failed with result 'start-limit'.

    Reply
  4. *protectedAdemtek says

    09/20/2017 at 2:54 pm

    Is the remote syslog in the VAMI UI configurable with the REST API?

    Reply
  5. *protectedAsep Ruspeni says

    11/03/2017 at 12:05 am

    Hi,

    Where do we input IP address for syslog server ?

    Reply
  6. *protectedAdrian says

    08/09/2018 at 6:18 am

    Hi,
    I see logs being sent to our Syslog server but they only seem to be informational events. And not auth success/fail. Thoughts?

    Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...