I was recently asked if it was possible to forward vCenter Server logs to a regular syslog server and if so, how difficult would it be to setup? I had researched this topic several years back, but did not find an ideal solution as vCenter Server was only available on the Windows platform and vCenter Server itself did not provide any syslogging capabilities. With the release of vSphere 5.0, VMware introduced the VCSA (vCenter Server Appliance) and realized I never revisited this question for the VCSA.

After a bit of digging, I found that the VCSA comes installed with syslog-ng by default which is used to provide the vSphere Syslog Collector functionality as well as the local syslog client for the VCSA itself. Given this information, it was pretty trivial to source the local /var/log/vmware/vpx/vpxd.log (symlink to latest vCenter Server log as well as other important vCenter logs) and automatically forward that to a remote syslog server.

VCSA Syslog Configuration

You will need to edit the following configuration file on the VCSA - /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

Note: If you are interested in more details about “sourcing” a local log, take a look at this article here which I used as a reference.

Once you have saved the configuration file, you just need to restart the syslog client by running the following command:

service syslog restart

If you login to your remote syslog server, you should now see that your VCSA is forwarding it’s vpxd logs over. Pretty simple, right? :) You can of course forward over other vCenter Server logs by adding additional source files. The main key is that there is a symlink that automatically points to the latest log file which you map as the source file.

I am sure many of you are probably asking what about vCenter Server for Windows? Well, I did also looked into a similar solution but it’s a bit more complex than just adding a few configuration entries.

Windows vCenter Server Syslog Configuration

Disclaimer: This is not supported by VMware, please use at your own risk.

There are a few challenges with the Windows version, by default there are no syslog clients installed and there is no automatic symlink to the latest vCenter Server log. Having said that, you can still get the above solution working using the free syslog-ng, but it takes a few more steps. The solution will be leveraging Cygwin, so we can run the free version of syslog-ng on a Windows system.

Step 1 - Install Cygwin and configure syslog-ng service on your vCenter Server as described in this article. You will need to add an additional package which is “Admin/Cron” that will be used in the subsequent steps. In the example, I ran syslog-ng under default system account, but if you need to run it under a different user, you may find these two articles to be helpful

  • http://linux.subogero.com/894/cron-on-cygwin/
  • http://www.davidjnice.com/articles/cygwin_cron-service.html

Step 2 - Just as before, we will need to edit /etc/syslog-ng/syslog-ng.conf and add the following lines at the bottom of the file (remember to replace the syslog host with your own):

You will notice this time, we are accessing the Windows C drive by using the /cygdrive path

Step 3 - As mentioned earlier, there is no symlink that points to the latest vCenter Server log, which makes it difficult to map to static log file. What we can do is basically identify the latest vpxd-#.log and automatically create a symlink and that is what is being monitored by syslog-ng to forward the log. We will be using a cronjob and a very simple shell script.

You can place the script in the current home directory /home/Administrator (or whatever default user you happen to have installed Cygwin on)

Here is the shell script which I have called latest.sh:

Make sure to set the script to be executable: chmod +x latest.sh

Step 4 - Create a cronjob which will run every minute (you might be able to set a longer delay depending on your environment and it’s rotation frequency) by editing the following file /var/cron/tabs/Administrator or using crontab -e
Step 5 - Start or restart syslog-ng by running one of the following commands:

Start - cygrunsrv -S syslog-ng
Restart - cygrunsrv -E syslog-ng;cygrunsrv -S syslog-ng

If everything was successful, you should start seeing your vCenter Server logs from your Windows system forward to your remote syslog server. When the latest vpxd-#.log changes, the cronjob will automatically take care of re-linking to the latest vpxd-#.log to ensure you continue forwarding your vCenter Server logs.

As you can see, it is not trivial to set this up for the Windows vCenter Server as it is for the VCSA, but you now have a way to centrally store all your important vCenter Server logs for archival or analysis purposes without having to manually copy them off to a remote volume.

Few additional notes:

  • I believe the paid version of syslog-ng supports file globbing, so you do not need to setup a cronjob and just watch for all vpxd-*.log, but in this example, I went with a completely free solution
  • You might also be able to leverage Splunk to monitor vCenter Server logs as noted in this Splunkbase entry, but I have not verified and I am not sure if you have to pay for this feature in Splunk
  • Here is an easier way of forwarding vCenter Server logs on Windows using Snare by Raphael Schitz.

10 thoughts on “Forwarding vCenter Server Logs to a Syslog Server

  1. for information

    if you remove “flags(no-parse)” in the source you obtain better format handling with correct time interpretation

  2. In the file /etc/syslog-ng/syslog-ng.conf there exists the following:

    #destination logserver { udp(“10.10.10.10″ port(514)); };
    #log { source(src); destination(logserver); };

    All you need to do is replace the IP address and uncomment the lines. Of course, restart the service.

    • That is only for the OS logs, not the vCenters logs. I looked at the syslog-ng.conf and I didn’t saw a reference to the /var/log/vmware, so the vcenter writes it owns logs, not using the syslog server.

      If you want to see the vcenters logs (which is probably you want to see) you have to source the logs as it’s written above.

      The files aren’t in standard syslog format so the flags(no-parse) is necessary.

  3. More logs to include on the VCSA:

    source vcsa_more {
    file(“/var/log/ldapmessages” log_prefix(“vcsa: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/ls.log” log_prefix(“vcsa: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/jointool.log” log_prefix(“vcsa: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/vsm.log” log_prefix(“vcsa: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/sps/sps.log” log_prefix(“vcsa: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/cim-diag.log” log_prefix(“vcsa: “) follow_freq(1) flags(no-parse));
    };

    source vmware-sso {
    file(“/var/log/vmware/sso/ssoAdminServer.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/sso/lookupServer.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vmdird/vdcpromo.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vmdird/vdcsetupIdu.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vmkdcd/vmkdcd.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/sso/vmware-sts-idmd.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/sso/vmware-identity-sts.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/sso/utils/sso_servicecfg.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/sso/utils/vi-regtool.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/sso/utils/vmware-stsd.log” log_prefix(“sso: “) follow_freq(1) flags(no-parse));
    };

    source vsphere-client {
    file(“/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log” log_prefix(“vsphere-client: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vsphere-client/logs/byUser/[email protected]” log_prefix(“vsphere-client: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vsphere-client/logs/byUser/noUser.log” log_prefix(“vsphere-client: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vsphere-client/logs/byUser/_unknown_user_.log” log_prefix(“vsphere-client: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vsphere-client/eventlogs/eventlog.log” log_prefix(“vsphere-client: “) follow_freq(1) flags(no-parse));

    };

    source vami {
    file(“/opt/vmware/var/log/vami/vami.log” log_prefix(“vami: “) follow_freq(1) flags(no-parse));
    file(“/opt/vmware/var/log/vami/vami-ovf.log” log_prefix(“vami: “) follow_freq(1) flags(no-parse));
    file(“/opt/vmware/var/log/vami/vami-sfcb.log” log_prefix(“vami: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vami/vcva-web-ui.log” log_prefix(“vami: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vami/storage-page.out.log” log_prefix(“vami: “) follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vami/cmdpool-web-ui.log” log_prefix(“vami: “) follow_freq(1) flags(no-parse));
    };

    # Remote Syslog Host
    destination remote_syslog {
    udp(“192.168.5.14″ port (514));
    };

    log {
    source(vcsa);
    source(vcsa_more);
    source(vmware-sso);
    source(vsphere-client);
    source(vami);
    destination(remote_syslog);
    };

  4. Superb. Exactly what I needed.

    Small correction: you should delete that from syslog-ng.conf file

Thanks for the comment!