You can define the behavior of ESXi syslog files and transmissions by using a set of syslog options.

Apart from the base settings, such as Syslog.global.logHost, starting from ESXi 7.0 Update 1, a list of advanced options is available for customizations, and NIAP compliance.

Note: All audit record settings, beginning with Syslog.global.auditRecord, take effect immediately. However, for other settings that you define by using ESXCLI, make sure to run the esxcli system syslog reload command to enable the changes.
Table 1. Legacy Syslog Options
Option ESXCLI command Description
Syslog.global.logHost

esxcli system syslog config set --loghost=<str>

Defines a comma-delimited list of remote hosts and specifications for message transmissions. If the loghost=<str> field is blank, no logs are forwarded. While no hard limit to the number of remote hosts to receive syslog messages exists, good practice is to keep the number of remote hosts to five or less. The format of a remote host specification is: protocol://hostname|ipv4|'['ipv6']'[:port]. The protocol must be one of TCP, UDP, or SSL. The value of a port can be any decimal number from 1 through 65535. If a port is not provided, SSL and TCP use 1514. UDP uses 514. For example: ssl://hostName1:1514.
Syslog.global.defaultRotate esxcli system syslog config set --default-rotate=<long> Maximum number of old log files to keep. You can set this number globally and for individual subloggers (see Syslog.global.defaultSize).
Syslog.global.defaultSize esxcli system syslog config set --default-size=<long> Default size of log files, in KiB. After a file reaches the default size, the syslog service creates a new file. You can set this number globally and for individual subloggers.
Syslog.global.logDir esxcli system syslog config set --logdir=<str> Directory where logs reside. The directory can be on mounted NFS or VMFS volumes. Only the /scratch directory on the local file system is persistent across reboots. Specify the directory as [datastorename] path_to_file, where the path is relative to the root of the volume backing the datastore. For example, the path [storage1] /systemlogs maps to the path /vmfs/volumes/storage1/systemlogs.
Syslog.global.logDirUnique esxcli system syslog config set --logdir-unique=<bool> Specifies the ESXi host name to be concatenated to the value of Syslog.global.logDir. It is critical that you enable this setting when multiple ESXi hosts log to a shared file system. Selecting this option creates a subdirectory with the name of the ESXi host under the directory specified by Syslog.global.LogDir. A unique directory is useful if the same NFS directory is used by multiple ESXi hosts.
Syslog.global.certificate.checkSSLCerts esxcli system syslog config set --check-ssl-certs=<bool> Enforces checking of SSL certificates when transmitting messages to remote hosts.
Table 2. Syslog Options Available Starting from ESXi 7.0 Update 1
Option ESXCLI command Description
Syslog.global.auditRecord.storageCapacity esxcli system auditrecords local set --size=<long> Specifies the capacity of the audit record storage directory located on the ESXi host, in MiB. You cannot decrease the capacity of the audit record storage. You can increase the capacity before or after the audit record storage is enabled (see Syslog.global.auditRecord.storageEnable).
Syslog.global.auditRecord.remoteEnable esxcli system auditrecords remote enable Enables sending audit records to remote hosts. Remote hosts are specified by using the Syslog.global.logHost parameter.
Syslog.global.auditRecord.storageDirectory esxcli system auditrecords local set --directory=<dir> Specifies the location of the audit record storage directory. You cannot change the audit record storage directory while audit record storage is enabled (see Syslog.global.auditRecord.storageEnable).
Syslog.global.auditRecord.storageEnable esxcli system auditrecords local enable Enables the storage of audit records on an ESXi host. If the audit record storage directory does not exist, it is created with the capacity specified by Syslog.global.auditRecord.storageCapacity.
Syslog.global.certificate.checkCRL esxcli system syslog config set --crl-check=<bool> Enables checking the revocation status of all the certificates in an SSL certificate chain.

Enables verification of X.509 CRLs, which are not checked by default in compliance with industry conventions. A NIAP-validated configuration requires CRL checks. Due to implementation limitations, if CRL checks are enabled, then all certificates in a certificate chain must provide a CRL link.

Do not enable the crl-check option for installations not related to certification, because of the difficulty in properly configuring an environment that uses CRL checks.

Syslog.global.certificate.strictX509Compliance esxcli system syslog config set --x509-strict=<bool> Enables strict compliance with X.509. Performs additional validity checks on CA root certificates during verification. These checks are generally not performed, as CA roots are inherently trusted, and might cause incompatibilities with existing, misconfigured CA roots. A NIAP-validated configuration requires even CA roots to pass validations.

Do not enable the x509-strict option for installations not related to certification, because of the difficulty in properly configuring an environment that uses CRL checks.

Syslog.global.droppedMsgs.fileRotate esxcli system syslog config set --drop-log-rotate=<long> Specifies the number of old dropped message log files to keep.
Syslog.global.droppedMsgs.fileSize esxcli system syslog config set --drop-log-size=<long> Specifies the size of each dropped message log file before switching to a new one, in KiB.
Syslog.global.logCheckSSLCerts esxcli system syslog config set --check-ssl-certs=<bool> Enforces checking of SSL certificates when transmitting messages to remote hosts.
Note: Deprecated. Use Syslog.global.certificate.checkSSLCerts in ESXi 7.0 Update 1 and later.
Syslog.global.logFilters esxcli system syslog logfile [add | remove | set] ... Specifies one or more log filtering specifications. Each log filter must be separated by a double vertical bar "||". The format of a log filter is: numLogs | ident | logRegexp. numLogs sets the maximum number of log entries for the specified log messages. After reaching this number, the specified log messages are filtered and ignored. ident specifies one or more system components to apply the filter to the log messages that these components generate. logRegexp specifies a case-sensitive phrase with Python regular expression syntax to filter the log messages by their content.
Syslog.global.logFiltersEnable Enables the use of log filters.
Syslog.global.logLevel esxcli system config set --log-level=<str> Specifies the log filtering level. You must change this parameter only when troubleshooting an issue with the syslog daemon. You can use the values debug for the most detailed level, info for the default detail level, warning for only warnings or errors, or error, only for errors.
Syslog.global.msgQueueDropMark esxcli system syslog config --queue-drop-mark=<long>) Specifies the percent of the message queue capacity at which messages are dropped.
Syslog.global.remoteHost.connectRetryDelay esxcli system syslog config set --default-timeout=<long> Specifies the delay before retrying to connect to a remote host after a connection attempt fails, in seconds.
Syslog.global.remoteHost.maxMsgLen esxcli system syslog config set --remote-host-max-msg-len=<long> For the TCP and SSL protocols, this parameter specifies the maximum length of a syslog transmission before truncation occurs, in bytes. The default maximum length for remote host messages is 1 KiB. You can increase the maximum message length to up to 16 KiB. However, raising this value above 1 KiB does not ensure that long transmissions arrive untruncated to a syslog collector. For example, when the syslog infrastructure that issues a message is external to ESXi.

RFC 5426 sets the maximum message transmission length for the UDP protocol to 480 bytes for IPV4 and 1180 bytes for IPV6.

Syslog.global.vsanBacking esxcli system syslog config set --vsan-backing=<bool> Allows log files and the audit record storage directory to be placed on a vSAN cluster. However, enabling this parameter might cause the ESXi host to become unresponsive.