Syslog is an important service in any enterprise architecture, and can even be business critical in some applications (think security, time sensitive logging, etc). To that end, VMware has recently made a play in the big data / log collection game with Log Insight (which is awesome, and if you haven’t tried it, GO DOWNLOAD THE EVAL NOW).
Regardless of what Syslog collector you are using (vCenter Integrated, Log Insight, Splunk, etc), there are a few non-default things that you will need to do to ensure persistent and reliable logging from ESXi 5.x hosts.
First off, note that depending on your patch level, if any of the following happen, the syslog service may not reconnect to your syslog collector, and logs may be missed (sounds important, eh?)
- The network connection has been interrupted.
- The remote host has closed the connection.
- A firewall is preventing the logs from being sent.
- The remote syslog server is not available.
To remediate these issues, check out the two articles below, and patch accordingly.
Lastly, I want to highlight VMware’s recommendation in the first article:
Once you have updated all your hosts to the versions listed below, we recommend using TCP or SSL. Without TCP, log message loss due to buffer overflows in network devices and network stacks may happen without detection.
This also sounds important, and it is, as the default log transport in ESXi is UDP (i.e. if you just type the IP or host name, logging will default to udp://).
To remediate this, simply add the tcp:// (or SSL) prefix before your log FQDN or IP Address, so that your syslog.global.loghost entry will be as follows:
Final Note: You can configure multiple syslog servers by making syslog.global.loghost comma-delimited.