One of the most important things in any environment is the syslog server. A centralized host to keep all the debug, runtime, and access information to be sent to your Kibana/Logstash or Splunk implementations will make any sysadmins life easier. The walk-through below sets up a central server running rsyslog, accepting logs on 514 from TCP and UDP, as well as placing them in dated folders for easier organization. Let’s dive in:
Create a dump folder for your syslog structure:
1 |
mkdir /var/log/syslogd |
Edit /etc/rsyslog.conf and remove the comments for TCP and UDP reception as well as change receiving port to your liking:
1 2 3 4 5 6 7 |
# Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Provides TCP syslog reception $ModLoad imtcp $InputTCPServerRun 514> |
Create a conf file within /etc/rsyslog.d (e.g. daily_log.conf) and define the daily rotation:
1 2 3 |
# Log remote messages by date & hostname $template DailyPerHostLogs,"/var/log/syslogd/%$YEAR%/%$MONTH%/%$DAY%/%HOSTNAME%_messages.log" *.info;mail.none;authpriv.none;cron.none -?DailyPerHostLogs |
Recycle the rsyslog service:
1 |
service rsyslog restart |
That covers the syslog server side of things, now to get rid of that annoying ‘system logs are not on persistent storage’ warning.
You can add this info to a host profile and apply it against all your hosts if your environment is large, but for example purposes, this will be a one-off host. You can also easily set this up via pCLI script.
Display your current settings:
1 |
esxcli system syslog config get |
Adjust syslog settings:
1 |
esxcli system syslog config set --loghost='tcp://your_syslogd_ip:514' --logdir-unique=true |
Recycle ESXi syslog service:
1 |
esxcli system syslog reload |
Open up syslog ports on ESXi firewall:
1 2 |
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true esxcli network firewall refresh |
And that’s it! Now on your syslogd server, you should see a directory path similar to /var/log/syslogd/year/month/day/hosts*.log
From here on out, you can point all of your log analyzers to the centralized syslog server and keep an eye on your ESXi hosts. Cheers!