Most important VMware log files

• Author
• Recent Posts

Vladan Seget

Vladan Seget is an independent consultant, professional blogger, vExpert 2009-2021, VCAP-DCA/DCD and MCSA. He has been working for over 20 years as a system engineer.

Latest posts by Vladan Seget (see all)

• How to use VMware vSAN ReadyNode Configurator - Fri, Dec 17 2021
• VMware Tanzu Kubernetes Toolkit version 1.3 new features - Fri, Dec 10 2021
• Disaster recovery strategies for vCenter Server appliance VM - Fri, Nov 26 2021

You can then send these log files to VMware support after opening a support request to investigate what's going on and resolve problems you might have.

But different VMware products have different log locations and different ways to get these logs. How do you keep track of it all? When working in an enterprise environment, you'll perhaps want to get software that will not only be able to centralize and gather all of these logs but also "ingest" the logs and tell you if there are more errors than usual.

A proactive option is monitoring software that can store logs in one location and analyze them to provide you with patterns identified as warnings or failures.

One such application is VMware Log Insight, but in this post, we will not install and configure this software. Today we only want to know which logs are the most important, how to get them, and how to send them to VMware.

vCenter Server log files

For environments using VMware vCenter Server, this operation of gathering support logs is now greatly simplified. To generate a support bundle, connect to your vCenter Server via the vSphere HTML 5 Web Client and then go to Home > Hosts and Clusters. Select the vCenter Server you want to generate support logs from and go to Actions > Export System Logs.

Exporting system logs from VMware vCenter Server

You can choose to export ESXi host log bundles and vSphere web client log files within the same bundle. With this information, VMware has everything they need to identify the problem. Within these subdirectories, vCenter Server logs are grouped by component and purpose. However, most of the time, you won't need to know all of this.

All vCenter Server log files (from the VMware knowledge base article)

If you're using a vCenter Server Appliance (VCSA) as VMware recommends, you can also get the logs from a Secure Shell (SSH) session or a direct console session in case you have problems and using the vSphere Web Client isn't a possibility. You'll find the main vCenter Server log at vpxd/vpxd.log

VMware ESXi host log files

What if you don't have vCenter and want to check the logs for a VMware ESXi host? For individual ESXi hosts vCenter Server doesn't manage, you can get support logs via this procedure:

In your web browser, go to https://ESXI-IP-ADRESS/UI. Then go to Monitor > Logs > Generate log bundle.

You can do two things here:

1. You can check different logs by selecting a log file and verifying the content in the lower pane.
2. You can generate a log bundle.

Generate an ESXi log bundle

Creating logs takes a few minutes, maybe five. Afterward, a small pop-up window appears telling you this:

Download an ESXi log bundle

The logs are quite voluminous; in my case they were like 155 MB in size. It's pretty convenient and simple to have these logs on your C: drive, but then you'll have to "ship" them to VMware. But again, it's simple.

You simply have to connect to your space at the myVMware portal and go to the Get Support section. There you will have to Select an issue and upload a log file.

Getting support at VMware and uploading log files

ESXi logs and locations

You can find different ESXi log locations and the meaning of each log in this table from a VMware knowledge base article.

VMware ESXi logs and their locations

As you can see, quite a few logs are stored on ESXi hosts. ESXi records host activity in log files by using syslog, a standard for message logging. It is not proprietary to VMware and ESXi.

Within your environment, you can configure a syslog server. Instead of jumping from one ESXi host to another to check the logs, it's way better to install and configure a syslog server to pull the data from many ESXi hosts. Without a syslog server, you'd have to check through each ESXi host individually.

The syslog protocol supports a wide range of devices, and you can use it to log different types of events. For example, a router might send messages about users logging on to console sessions, while a web server might log access-denied events.

Syslog is a great way to consolidate logs from multiple sources into a single location, so you can configure each ESXi host to send its logs to a syslog server—to a single, central location.

You can download and test many free syslog servers. One of them for example is Kiwi Syslog Server from SolarWinds, but it is outside the scope of this post.

Whether you administer a small company's network or an enterprise-grade network infrastructure, in the long term, you should definitely consider employing a syslog monitoring tool.

Such a software tool would help you not only see what is happening on your network but also put yourself in a position to be proactive and able to react on events before a failure occurs. After all, it's all about uptime.