In this article I detail the steps required to configure your vMA as a Syslog server, and configure your ESX/ESXi hosts to send logging information to the vMA. Logging is often overlooked, but when managing multiple hosts it is far easier to send your logs to a Syslog server. I’m studying for the VCAP-DCA exam, and using vicfg-syslog is a requirement of the exam (Section 6.1) and the vMA is also essential to understand (Section 8.1). I hope my notes help you as they have helped me.
Configuring your VMware vMA as a Syslog server is very easy to do, just follow these steps
Log on to your vMA as vi-admin and enter the following commands:
sudo service rsyslog stop (this will save the new firewall rule and ensure it doesn’t disappear after a reboot)
sudo vi /etc/sysconfig/rsyslog
sudo service rsyslog start
sudo iptables -I INPUT -i eth0 -p udp --dport 514 -j ACCEPT
sudo service iptables save
Job done! The vMA server is now ready to accept syslog connections on UDP port 514.
Configuring your ESXi host to send logging information to the Syslog server
You can do this via the vSphere client (Configuration > Advanced > Syslog, syslog.remote.hostname), but for the VCAP-DCA exam it might be useful to know how to do this using vMA.
First ensure your have your ESXi host set as the fast-pass target, then use
# vifptarget -s <ESXI_HOSTNAME>
# vicfg-syslog -s <VMA_IP_ADDRESS>
Configuring your ESX host to send logging information to Syslog server
You can’t use the vSphere client or vMA to configure Syslog on an ESX host, so we need to edit
/etc/syslog.conf and add the following line to the very bottom:
In this example, replace <SYSLOG_IP_ADDRESS> with the IP address of the vMA.
Next we need to allow UDP port 514 out from your ESX host. To do this run the following command (make sure you are logged in, or
su - as root):
# esxcfg-firewall -o 514,udp,out,syslog
Note: If you log in to your ESX hot then su as root make sure you type (
su -) with the hyphen and that will load the environment variables of the root account. Otherwise you may find that you get the error ‘
bash: esxcfg-firewall: command not found‘.
Finally, restart the syslog service:
# service syslog restart
Checking the ESX logs on vMA
Now for the fun bit! Log on to your vMA server as vi-admin, and type:
# sudo tail -f /var/log/messages
This will tail the messages file, and -f will output data as it is added to the file.
To send a test message, log on to the ESX host that you configured for syslog (above) and type:
# logger syslog test message
You should see your test message output on the vMA. Cool huh!
Checking ESXi logs on vMA
The logger command isn’t available with ESXi, so another way of checking that your Syslog is working for an ESXi host is to filter the results to show the IP address of your ESXi host:
# sudo tail -f /var/log/messages | grep <ESXI_IP_ADDRESS>
It shouldn’t take long to see messages from your ESXi host, and filtering on the IP address using grep is a really neat way of finding results for a particular host.