Wednesday, September 10, 2014

Syslog on ESXi 5.0 Hosts

So you want to enable syslog on your ESXi 5.0 hosts? Or you just want to read a blogpost about doing that? Either way is cool with me.

Setting up syslog is easy to do. But doing so requires some attention to detail, because this change is enabled in several places via the vSphere Client. In short form:
  1. Configuring syslog in the host's Advanced Options screen
  2. Configuring the firewall rules for your ESXi hosts
I'll show you the click-happy way to do this, then we'll do a little PowerCLI that will do the same thing while you go get some coffee.

Configuring syslog in the host's Advanced Options screen

The Config.HostAgent.log.level screen
You'll need to configure, at a minimum, three advanced options for each host that will be sending syslog: the hostAgent log level, the Vpxa config log level, and the remote syslog host. Start by selecting your host, then clicking the Configuration tab, and dig into the juicy advanced settings.

Your first stop is to set your logging level for the Config.HostAgent.log.level property. See the image to the right for available options. I suggest using warning; info might be more logging information than you need. However, some environments may elect to capture as much data as possible and filter it at the syslog server level. That's fine, too. Just be prepared for a non-trivial increase in logging when you go to info or higher.
The Vpx.Vpxa.config.log.level screen

Next, we need to do the same for the vCenter agent (aka Vpx.Vpxa.config.log.level) logging level. Check the screenshot to the right for the exact location. The same advice applies here: set it to warning, unless you really need more logging information.

You'll be tempted to check your syslog host for log data at this point. Don't. You'll only be disappointed, and perhaps slightly confused. Because the trusty ESXi firewall is dutifully blocking syslog traffic. So let's fix that.

Configuring the firewall rules for your ESXi hosts

The trusty ESXi Firewall settings screen
On your Configuration tab, click the Security Profile option, and select the Firewall's Properties. Scroll down a bit, and you'll see that the option for syslog is unchecked. Easy fix: click the empty box to the left of syslog, and then click OK. You'll see a task in the vSphere client that says, "Opening firewall port." And when it's done, you're done. Easy. But damn that's a lot of clicking. There's got to be an easier way, right? Right?

The Easier Way - PowerCLI

You're damned right there's an easier way. Just launch PowerCLI (or alt-tab to it, since you shouldn't ever close PowerCLI anyway) and let's see how easy this is.

Here's the command you'll want to use to configure syslog. It will configure every host in your vCenter Server (via the get-vmhost cmdlet) to use the "warning" log level for your Host and vCenter agent logging, and will send syslog to the host at (probably not what you want, so make sure to change this to your syslog server).

Now, we just need a one-liner to open up that firewall rule for syslog. Easy.

Aaaaaaand you're done. But did you notice that warning in PowerCLI about the set-VMHostAdvancedConfiguration cmdlet being deprecated? Yeah, me too. But I'll write that up tomorrow. It's time for baseball practice.