I just had a quick call with a very helpful VMware support guy about this. I’ve just upgraded my ESXi boxes from 4.1 to 5.0, but I wasn’t getting any messages at my remote syslog server any more. Here’s a quick guide to making it work.
First, set your syslog server on the ESXi hosts. You can either do this in vCenter, in Configuration -> Advanced settings:
or on the command line:
esxcli system syslog config set --loghost='udp://syslog-server:514'
esxcli system syslog reload
(just using a bare hostname seems to work just as well, but the example given in the vCenter configuration window suggests the syntax above. Obviously use your own hostname or IP address instead of ‘syslog-server’ :-))
Then you need to enable the ESXi firewall ruleset so that syslog packets are allowed out of the box (this is what was missing on my upgraded ESXi 5.0 hosts). I don’t know how to do this in vCenter, but the commands are
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
My hosts started syslogging immediately after the first command, so the second one may not be strictly necessary.
If you want to use the command line, remember that you have to enable the SSH service for each host (under ‘Security Profile’ in vCenter). Don’t forget to switch it off afterwards.
Pretty much the same information is available in this KB article, but without the pretty picture and the sarcasm.
Glad you got this worked out — note that if you configure either CIM Indications or SNMP traps — both these subsystems will automatically poke a hole in the firewall so one doesn’t have to make a support call wondering.
/vmfs/volumes # esxcli network firewall ruleset rule list | grep dynamicruleset
dynamicruleset Outbound TCP Dst 49152 49152
dynamicruleset Outbound UDP Dst 1162 1162
If you haven’t found it already, – to perform the firewall change in vCenter click on the desired host, then click the configuration tab. In the ‘Software’ box click the link that says ‘Security Profile’. There you can change firewall settings.
Thanks mate! I don’t use VMware stuff any more, but I’m sure many others will find your comment useful.
excellent and to the point post… thanks a lot…
This article helped me very much. Thank you!
I see this a pretty old topic but maybe you can help me. I have my esxi servers forwarded data to a syslog server but I want to limit which logs are sent. I don’t want all the logs in /scratch/log forwarded just specific ones. Is there a way configure this function because I haven’t been able to find one through all my searching. Tks in advance.
I don’t run vmware systems any more but I’ll leave this here in case others can help you.