Proper logging of VMware hosts, services and application logs are becoming more and more critical these days and their usage goes beyond just troubleshooting. In many of our customer environments, extended log retention is often mandatory to satisfy auditing and compliance requirements. Support for remote syslog has been around in ESXi for quite some time and has included several enhancements over the years, however logging for vCenter Server itself has not changed much over the years. Historically, vCenter Server started out as a Windows application and outside of standard filesystem logging there is also Microsoft Event Logs which was not really all that useful. With the release of the vCenter Server Appliance (VCSA), syslog support became more attainable, at least without additional 3rd party tools.
I can even remember when I was an administrator, I had to get creative on how to forward vCenter Server logs to a remote syslog server which I had blogged about back in 2012. Though the solution works, it was not ideal especially when you are running several dozen to several hundred vCenter Server instances like many of our customers do today. When I had discovered that there was a Common Logging initiative within VMware for vSphere 6.0, I was pretty excited and I can only guess that this also put a big smile on many of our GSS folks faces š
As you can imagine this was no small undertaking, especially with the organic growth of services and applications within vCenter Server. The goal was not only to support native remote syslog but to also standardize on the location, rotation, retention of all the logs and most importantly providing a consistent time stamp of events so that an administrator or 3rd party tool can easily correlate operations across multiple VMware log files. Though complete native syslog support in vCenter Server is not 100% ready just yet, much of the plumbing and foundation has already been finished and in fact you can see some of this in the latest release VCSA 6.0.
With VCSA 6.0, there is partial support for native remote syslog which is configurable through the VMware Syslog Service under the new vCenter Server System Configuration found within the vSphere Web Client.
There are four settings that you will need to configure:
- Common Log Level - * (everything), info, notice, warn, error, crit, alert & emerg
- Host - Hostname/IP Address of a *single* remote syslog server
- Port - Port of the remote syslog server (514 for UDP & 1514 for TCP is already opened on the VCSA firewall)
- Protocol - Supports tcp, udp & tls
A restart is not required when configuring the syslog service and logs will automatically be forwarded to the remote syslog server which is quite nice. You can also view the health status of the syslog service and its connectivity to the remote syslog server by clicking onto the "Summary" view as seen in the screenshot below. For more information about the new syslog service, check out the official documentation here.
So what exactly does partial syslog support really mean? What logs are being forwarded to a syslog server when the syslog service is enabled?
There are currently two major sets of logs that are forwarded to a remote syslog server when the new syslog service is configured:
- All logs from ESXi hosts that are connected to the vCenter Server will be forwarded
- A partial set of vCenter Server services (details in table below) will be forwarded
Service Name | Service Description | Service Log Location |
---|---|---|
applmgmt-audit | Appliance Management | /var/log/vmware/applmgmt/applmgmt-audit/applmgmt-audit-syslog.log |
audispd | Audit Event Dispatcher | /var/log/audit/audispd/audispd-syslog.log |
auditd | Audit System | /var/log/audit/auditd/auditd-syslog.log |
rbd | Auto Deploy | /var/log/vmware/rbd/rbd-syslog.log |
vmafdd | VMware Authentication Framework | /var/log/vmware/vmafdd/vmafdd-syslog.log |
vmcad | VMware Certificate Service | /var/log/vmware/vmcad/vmcad-syslog.log |
vmdird | VMware Directory Service | /var/log/vmware/vmdird/vmdird-syslog.log |
watchdog-rhttpproxy | Watchdog for Reverse HTTP Proxy service | /var/log/vmware/rhttpproxy/watchdog-rhttpproxy/watchdog-rhttpproxy-syslog.log |
watchdog-syslog | Watchdog for Syslog service | /var/log/vmware/syslog/watchdog-syslog/watchdog-syslog-syslog.log |
watchdog-vmware-vpostgres | Watchdog for vPostgres DB service | /var/log/vmware/vpostgres/watchdog-vmware-vpostgres/watchdog-vmware-vpostgres-syslog.log |
watchdog-vpxd | Watchdog for vCenter Server service | /var/log/vmware/vpxd/watchdog-vpxd/watchdog-vpxd-syslog.log |
watchdog-vws | Watchdog for vCenter Web Services service | /var/log/vmware/vws/watchdog-vws/watchdog-vws-syslog.log |
Note: The information above was extracted from /etc/vmware-syslog/custom-file-location.conf
Here is a screenshot of my vRealize Log Insight instance ingesting the logs that have been forwarded over from my VCSA 6.0:
Although not all the vCenter Server services have been integrated into this new native syslog mechanism, you can see where things headed and hopefully in the not too distant future we will have full native syslog support for all application and system logs found withint vCenter Server. One thing that I really do like is that I can go to one single location to configure my remote syslog server and automatically receive all logs from the ESXi hosts being managed by that vCenter Server and forwarded to the configured syslog server. This definitely makes it operationally friendly so that you have one less thing to configure when provisioning new ESXi hosts.
One limitation that I found when configuring your remove syslog server is that there is no way to reset the values to NULL and the UI also limits the number of remote syslog server to just one, even though you can specify multiple targets. One way to get around this UI limitation is by editing the underlying configuration file which is located in /etc/vmware-syslog/syslog.conf
Here is an example of what the syslog.conf looks like for the above configuration:
*.info @log.primp-industries.com:514;RSYSLOG_SyslogProtocol23Format
If you wish to add a second or even third syslog server, you simply just need to duplicate the existing line and update the hostname or IP Address of your syslog server.
*.info @log.primp-industries.com:514;RSYSLOG_SyslogProtocol23Format
*.info @log2.primp-industries.com:514;RSYSLOG_SyslogProtocol23Format
If you are manually editing the syslog.conf, you will need to restart the syslog service by running the following command for the changes to take effect:
/etc/init.d/vmware-syslog restart
Some of you might say this is great and all, but one of the most important log files which is the vCenter Server log (vpxd.log) is not being being forwarded. How useful is this really to me? I know I definitely asked that question š Though not ideal, there is a small configuration change you can apply to easily get vpxd.log to also forward to a remote syslog server using the new syslog service.
You will need to change the vCenter Server advanced setting "config.log.outputToSyslog" property (can also be done using vSphere API) from false to true as seen in the screenshot below.
The above assumes you have already configured the syslog service and for this change to go into effect, you will need to restart the vCenter Server service. This can be done using the System Configuration and under the vCenter Server Service, by just right clicking and selecting "Restart".
If we now look at our vRealize Log Insight instance or whatever syslog server you are using, you should now see entries from the vpx.log being forwarded:
You can also perform this change from the command-line by editing the vCenter Server configuration file at /etc/vmware-vpx/vpxd.cfg and modifying <outputToSyslog>true</outputToSyslog>
Once you have saved the changes, you will need to restart the vCenter Server by running the following command:
/etc/init.d/vmware-vpxd restart
For those of you who are considering vSphere 6.0 and using the VCSA, this is something I definitely recommend checking out to help simplify the management of both your logs for vCenter Server and your ESXi hosts. I know the VMware Engineering team is working hard on making native syslog support even easier in the future and I look forward to the complete solution hopefully in the near future.