Latest posts by Vladan Seget (see all)
- VMware App Volumes 4.0 released: What's new? - Fri, Mar 27 2020
- Could not connect to one or more vCenter Server systems - Fri, Mar 20 2020
- What is vCenter Identity Federation in vSphere 7.0? - Wed, Mar 11 2020
While good practice is to redirect your ESXi logs to vCenter server for small environments, large environments should use a dedicated, separate log server; otherwise, your VCSA will suffer from performance peaks. To give you some numbers, you should not have over 30 hosts sending logs to your vCenter server, as this would not be a VMware-supported scenario.
The best is to set up not only a dedicated log server for your ESXi but also for your VCSA. You might not be aware, but VCSA can be configured to send logs to up to three different log servers. Now, why would I want to send my logs to three different locations? The use cases exist. For example, you might have two or three different monitoring software solutions, each of which needs to work with the log files.
One product that can be used to receive log files is vRealize Log Insight, which includes a built-in syslog server. vRealize Log Insight can analyze terabytes of logs and discover structure in unstructured data, which means it can see some failure patterns happening. It uses machine learning technology with intelligent grouping. The syslog server listens on ports 514/TCP, 1514/TCP, and 514/UDP; however, you can change the defaults to something else if you need to. Logs sent by VCSA are ingested by the syslog server along with all the other logs you send it from all VMware products. You can search the logs via vRealize Log Insight's UI.
Configuration of VMware VCSA for three syslog forwarding targets – The steps ^
First, log in to the VCSA via the VAMI user interface. Point your web browser to Https://ip_of_vcsa:5480
Use your root login/password and go to Syslog > Forwarding Configuration > Configure.
Once there, add the IP address or fully qualified domain names (FQDN) of your syslog hosts, one per line.
Note: The maximum number of supported destination hosts is three.
In the middle, there is a Protocol drop-down menu. Select the protocol you want to use.
As you can see, you have several choices for those protocols. Let's look at them:
- TLS: Transport layer security
- TCP: Transmission control protocol
- RELP: Reliable event logging protocol
- UDP: User datagram protocol
If you want to use port 1514, you must use the TLS protocol; otherwise, the messaging won't work.
In the Port text box, enter the port number to use for communication with the destination host. In the Create Forwarding Configuration pane, click Add to enter another remote syslog server.
Then click Save and you're done.
Test your configuration ^
You can check whether your syslog is receiving the messages. Go to the Forwarding Configuration section and click Send Test Message.
An overview of the configuration can be found in the Forwarding Configuration section.
Well, this is it. It was just a quick tip concerning syslog forwarding to multiple targets and some guidelines for environments running over 30 hosts, where you have to configure a destination other than your vCenter server.
Syslog configuration on external servers is a common practice and makes sense. To troubleshoot problems of something that failed, you must log into the other host/server and dig deep into the logs. If you have a solution such as VMware vRealize Log Insight, the log search and machine learning capabilities of this solution might be helpful. It can collect and automatically identify structure in those machine-generated logs, which can be various types. For example, you can have logs from applications, network traces, config files, messages, performance data, system state dumps, and many others. How do you differentiate between them without any order?
If you're a "free" shop, then you might be using other free solutions such as the Kiwi syslog server, PRTG Free version, or Splunk Light. However, those free versions might be limited the number of logs you can send to them daily/monthly. But there are many others. It really depends on the size of your environment, the usability, and the licensing cost.