I just had a quick call with a very helpful VMware support guy about this. I’ve just upgraded my ESXi boxes from 4.1 to 5.0, but I wasn’t getting any messages at my remote syslog server any more. Here’s a quick guide to making it work.
First, set your syslog server on the ESXi hosts. You can either do this in vCenter, in Configuration -> Advanced settings:
or on the command line:
esxcli system syslog config set --loghost='udp://syslog-server:514'
esxcli system syslog reload
(just using a bare hostname seems to work just as well, but the example given in the vCenter configuration window suggests the syntax above. Obviously use your own hostname or IP address instead of ‘syslog-server’ :-))
Then you need to enable the ESXi firewall ruleset so that syslog packets are allowed out of the box (this is what was missing on my upgraded ESXi 5.0 hosts). I don’t know how to do this in vCenter, but the commands are
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
My hosts started syslogging immediately after the first command, so the second one may not be strictly necessary.
If you want to use the command line, remember that you have to enable the SSH service for each host (under ‘Security Profile’ in vCenter). Don’t forget to switch it off afterwards.
Pretty much the same information is available in this KB article, but without the pretty picture and the sarcasm.