All VMware hosts run a service for logging system information. This service, vmsyslogd, logs messages from the VMkernel and other system components for auditing and diagnostic purposes. By default, the logs are directed to a local scratch location or ramdisk. The scratch space is created automatically during ESXi installation in the form of a 4 GB Fat16 local scratch partition. If storage space is unavailable, the host will store data on a ramdisk, which is not persistent across reboots. That being the case, many admins choose to send these logs to a persistent datastore or remote logging server for retention.
Configuring the log location can be done in a variety of ways. In this post, we will focus on vSphere Web Client and ESXi Shell.
Manually Configure ESXi Syslog – vSphere Web Client
For convenience sake, the Web Client is popular for setting the log location. In the Web Client, the Syslog.global.logdir key controls the syslog location. By default, the location is set to /scratch/log which references that local scratch location created during installation or ramdisk. To change the syslog location, navigate to Advanced System Settings under the host Configuration tab. Edit the Syslog.global.logdir value to specify the new log path. Format the value as [datastore]/logdir. Example: [DevDS]/LOGS/Dev
Similarly, the Syslog.global.LogHost key indicates the remote server where the syslog messages are forwarded. A blank field indicates that logs are not being forwarded. To specify a remote logging host, enter a value in the format of protocol://hostname:port. Example: tcp://hostname:514
When complete, click OK. The changes will take effect immediately.
NOTE – If you are utilizing the vSphere 6.5 Web Client, you may receive an error when attempting to save the settings. The message will state ‘There are errors in some of the advanced settings values. Resolve them to continue.’
If that is the case, it is quite possible the Power.PerfBias value is set to 4294967294 which is out of range for that key. VMware is aware of this issue affecting ESXi 6.5. The resolution is to upgrade to VMware ESXi 6.5 Update 1.
If you are not ready to upgrade to ESXi 6.5 U1 or prefer using the command line utility, local and remote logging can also be configured using esxcli.
Manually Configure ESXi Syslog – ESXCLI
To start, open an ESXi Shell session via SSH or vCLI on the pertinent host. Now, retrieve the current syslog configuration options using esxcli system syslog commands.
esxcli system syslog config get
Next, configure the new log directory and/or remote log server with the esxcli system syslog config set command. Specify, the vmfs directory path for the log directory with –logdir option and/or the remote log server with the –loghost option.
esxcli system syslog config set –logdir=/vmfs/directory/path –loghost=’tcp://hostname:514’
Load the configuration changes with the esxcli system syslog reload command. The logs will immediately begin populating the specified location.
Run the esxcli system syslog config get command again to verify the changes are in place.
Lastly, check the Advanced System Settings keys back in the Web Client to see the reflected changes.