8.3 VCAP-DCA Study Guide - Configuring vMA for Logging

Posted on 07 Mar 2011 by Ray Heffer

In this article I detail the steps required to configure your vMA as a Syslog server, and configure your ESX/ESXi hosts to send logging information to the vMA. Logging is often overlooked, but when managing multiple hosts it is far easier to send your logs to a Syslog server. I’m studying for the VCAP-DCA exam, and using vicfg-syslog is a requirement of the exam (Section 6.1) and the vMA is also essential to understand (Section 8.1). I hope my notes help you as they have helped me. Configuring your VMware vMA as a Syslog server is very easy to do, just follow these steps

Log on to your vMA as vi-admin and enter the following commands:

sudo service rsyslog stop

sudo vi /etc/sysconfig/rsyslog

sudo service rsyslog start

sudo iptables -I INPUT -i eth0 -p udp --dport 514 -j ACCEPT

sudo service iptables save (this will save the new firewall rule and ensure it doesn’t disappear after a reboot)

Job done! The vMA server is now ready to accept syslog connections on UDP port 514.

Configuring your ESXi host to send logging information to the Syslog server

You can do this via the vSphere client (Configuration > Advanced > Syslog, syslog.remote.hostname), but for the VCAP-DCA exam it might be useful to know how to do this using vMA.

Using vMA:

First ensure your have your ESXi host set as the fast-pass target, then use vicfg-syslog:

# vifptarget -s <ESXI_HOSTNAME> # vicfg-syslog -s <VMA_IP_ADDRESS>

Configuring your ESX host to send logging information to Syslog server

You can’t use the vSphere client or vMA to configure Syslog on an ESX host, so we need to edit /etc/syslog.conf and add the following line to the very bottom:

*.* @<SYSLOG_IP_ADDRESS>

In this example, replace <SYSLOG_IP_ADDRESS> with the IP address of the vMA.

Next we need to allow UDP port 514 out from your ESX host. To do this run the following command (make sure you are logged in, or su - as root):

# esxcfg-firewall -o 514,udp,out,syslog

Note: If you log in to your ESX hot then su as root make sure you type (su -) with the hyphen and that will load the environment variables of the root account. Otherwise you may find that you get the error ‘bash: esxcfg-firewall: command not found’.

Finally, restart the syslog service:

# service syslog restart

Checking the ESX logs on vMA

Now for the fun bit! Log on to your vMA server as vi-admin, and type:

# sudo tail -f /var/log/messages

This will tail the messages file, and -f will output data as it is added to the file.

To send a test message, log on to the ESX host that you configured for syslog (above) and type:

# logger syslog test message

You should see your test message output on the vMA. Cool huh!

Checking ESXi logs on vMA

The logger command isn’t available with ESXi, so another way of checking that your Syslog is working for an ESXi host is to filter the results to show the IP address of your ESXi host:

# sudo tail -f /var/log/messages | grep <ESXI_IP_ADDRESS>

It shouldn’t take long to see messages from your ESXi host, and filtering on the IP address using grep is a really neat way of finding results for a particular host.