The log filtering capability lets you modify the logging policy of the syslog service that is running on an ESXi host. You can create log filters to reduce the number of repetitive entries in the ESXi logs and to denylist specific log events entirely.

Log filters affect all log events that are processed by the ESXi host vmsyslogd daemon, whether they are recorded to a log directory or to a remote syslog server.

When you create a log filter, you set a maximum number of log entries for the log messages. The logs messages are generated by one or more specified system components and that match a specified phrase. You must enable the log filtering capability and reload the syslog daemon to activate the log filters on the ESXi host.
Important: Setting a limit to the amount of logging information, restricts your ability to troubleshoot potential system failures properly. If a log rotate occurs after the maximum number of log entries is reached, you might lose all instances of a filtered message.

Procedure

  1. Log in to the ESXi Shell as root.
  2. In the /etc/vmware/logfilters file, add the following entry to create a log filter. 
    numLogs | ident | logRegexp
    where:
    • numLogs sets the maximum number of log entries for the specified log messages. After reaching this number, the specified log messages are filtered and ignored. Use 0 to filter and ignore all the specified log messages.
    • ident specifies one or more system components to apply the filter to the log messages that these components generate. For information about the system components that generate log messages, see the values of the idents parameters in the syslog configuration files. The files are located in the /etc/vmsyslog.conf.d directory. Use a comma-separated list to apply a filter to more than one system component. Use * to apply a filter to all system components.
    • logRegexp specifies a case-sensitive phrase with Python regular expression syntax to filter the log messages by their content.
    For example, to set a limit of maximum two-log entries from the hostd component for messages that resemble the SOCKET connect failed, error 2: No such file or directory phrase with any error number, add the following entry: 
    2 | hostd | SOCKET connect failed, error .*: No such file or directory
    Note: A line starting with # denotes a comment and the rest of the line is ignored.
  3. In the /etc/vmsyslog.conf file, add the following entry to enable the log filtering capability. 
    enable_logfilters = true
  4. Run the esxcli system syslog reload command to reload the syslog daemon and apply the configuration changes.