Setting up syslog is easy to do. But doing so requires some attention to detail, because this change is enabled in several places via the vSphere Client. In short form:
- Configuring syslog in the host's Advanced Options screen
- Configuring the firewall rules for your ESXi hosts
I'll show you the click-happy way to do this, then we'll do a little PowerCLI that will do the same thing while you go get some coffee.
Configuring syslog in the host's Advanced Options screen
|The Config.HostAgent.log.level screen|
You'll need to configure, at a minimum, three advanced options for each host that will be sending syslog: the hostAgent log level, the Vpxa config log level, and the remote syslog host. Start by selecting your host, then clicking the Configuration tab, and dig into the juicy advanced settings.
Your first stop is to set your logging level for the Config.HostAgent.log.level property. See the image to the right for available options. I suggest using warning; info might be more logging information than you need. However, some environments may elect to capture as much data as possible and filter it at the syslog server level. That's fine, too. Just be prepared for a non-trivial increase in logging when you go to info or higher.
Next, we need to do the same for the vCenter agent (aka Vpx.Vpxa.config.log.level) logging level. Check the screenshot to the right for the exact location. The same advice applies here: set it to warning, unless you really need more logging information.
You'll be tempted to check your syslog host for log data at this point. Don't. You'll only be disappointed, and perhaps slightly confused. Because the trusty ESXi firewall is dutifully blocking syslog traffic. So let's fix that.
Configuring the firewall rules for your ESXi hosts
|The trusty ESXi Firewall settings screen|
The Easier Way - PowerCLI
You're damned right there's an easier way. Just launch PowerCLI (or alt-tab to it, since you shouldn't ever close PowerCLI anyway) and let's see how easy this is.
Here's the command you'll want to use to configure syslog. It will configure every host in your vCenter Server (via the get-vmhost cmdlet) to use the "warning" log level for your Host and vCenter agent logging, and will send syslog to the host at 10.0.0.1 (probably not what you want, so make sure to change this to your syslog server).
Now, we just need a one-liner to open up that firewall rule for syslog. Easy.
Aaaaaaand you're done. But did you notice that warning in PowerCLI about the set-VMHostAdvancedConfiguration cmdlet being deprecated? Yeah, me too. But I'll write that up tomorrow. It's time for baseball practice.