Centralized rsyslog with ESXi 5.x hosts

One of the most important things in any environment is the syslog server. A centralized host to keep all the debug, runtime, and access information to be sent to your Kibana/Logstash or Splunk implementations will make any sysadmins life easier. The walk-through below sets up a central server running rsyslog, accepting logs on 514 from TCP and UDP, as well as placing them in dated folders for easier organization. Let’s dive in:

Create a dump folder for your syslog structure:

Edit /etc/rsyslog.conf and remove the comments for TCP and UDP reception as well as change receiving port to your liking:

Create a conf file within /etc/rsyslog.d (e.g. daily_log.conf) and define the daily rotation:

Recycle the rsyslog service:

That covers the syslog server side of things, now to get rid of that annoying ‘system logs are not on persistent storage’ warning.

You can add this info to a host profile and apply it against all your hosts if your environment is large, but for example purposes, this will be a one-off host. You can also easily set this up via pCLI script.

Display your current settings:

Adjust syslog settings:

Recycle ESXi syslog service:

Open up syslog ports on ESXi firewall:

And that’s it! Now on your syslogd server, you should see a directory path similar to /var/log/syslogd/year/month/day/hosts*.log

From here on out, you can point all of your log analyzers to the centralized syslog server and keep an eye on your ESXi hosts. Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.