All ESXi hosts run a syslog service, which logs messages from the VMkernel and other system components to local files or to a remote host.

You can use the vSphere Client, or use the esxcli system syslog command to configure the following parameters of the syslog service.

  • Remote host and port - Remote host to which syslog messages are forwarded and port on which the remote host receives syslog messages. The remote host must have a log listener service installed and correctly configured to receive the forwarded syslog messages. See the documentation for the syslog service installed on the remote host for information on configuration.
  • Transport protocol - Logs can be sent by using UDP, which is the default, TCP, or SSL transports.
  • Local logging directory - Directory where local copies of the logs are stored. The directory can be located on mounted NFS or VMFS volumes. Only the /scratch directory on the local file system is persistent across reboots.
  • Unique directory name prefix - Setting this option to true creates a subdirectory with the name of the ESXi host under the specified logging directory. This method is especially useful if the same NFS directory is used by multiple ESXi hosts.
  • Log rotation policies - Sets maximum log size and the number of archives to keep. You can specify policies both globally, and for individual subloggers. For example, you can set a larger size limit for the vmkernel log.

After making configuration changes, restart the vmsyslogd syslog service by running esxcli system syslog reload.

For audit events, you should use syslog with either TCP on port 514 or TLS on port 1514. To use unencrypted syslog, you must prefix the entry with tcp://. To use encrypted syslog through the TLS protocol, you must prefix the entry with ssl://. For security reasons, you should use the TLS protocol for communications. To use the TLS protocol, you must load a public CA certificate onto ESXi that is suitable for the syslog server.

The esxcli system syslog command allows you to configure the logging behavior of your ESXi system. You can manage the top-level logger and subloggers. The command has the following options.

Option Description
mark Marks all logs with the specified string.
reload Reloads the configuration, and updates any changed configuration values.
config get Retrieves the current configuration.
config set Sets the configuration. Use one of the following options.
  • --logdir=<path> – Saves logs to a given path.
  • --loghost=<host> – Sends logs to a given host.
  • --logdir-unique=<true|false> – Specifies whether the log should go to a unique subdirectory of the directory specified in logdir.
  • --default-rotate=<int> – Default number of log rotations to keep.
  • --default-size=<int> – Size before rotating logs, in KB.
config logger list Shows currently configured subloggers.
config logger set Sets configuration options for a specific sublogger. Use one of the following options.
  • --id=<str> – ID of the logger to configure. Required.
  • --reset=<str> – Resets values to default.
  • --rotate=<long> – Number of rotated logs to keep for a specific logger. Requires --id.
  • --size=<long> – Size of logs before rotation for a specific logger, in KB. Requires --id.

esxcli system syslog Usage

The following workflow illustrates how you might use esxcli system syslog for log configuration. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of <conn_options>.

  1. Show configuration options.
    esxcli <conn_options> system syslog config get
    Default Rotation Size: 1024
    Default Rotations: 8
    Log Output: /scratch/log
    Logto Unique Subdirectory: false
    Remote Host: <none>
  2. Set all logs to keep twenty rotations before overwriting the oldest log.
    esxcli <conn_options> system syslog config set --default-rotate=20
  3. Set the rotation policy for VMkernel logs to 10 rotations, rotating at 2 MB.
    esxcli <conn_options> system syslog config logger --id=vmkernel --size=2048 --rotate=10
  4. Send logs to remote host myhost.mycompany.com. The logs will use the default transport (UDP) and port (514).
    esxcli system syslog config set --loghost='myhost.mycompany.com'
  5. Save the local copy of logs to /scratch/mylogs and send another copy to the remote host.
    esxcli <conn_options> system syslog config set --loghost='tcp://myhost.mycompany.com:1514' --logdir='/scratch/mylogs'
    You can set the directory on the remote host by configuring the client running on that host. You can use the vSphere Client to redirect system logs to a remote host by changing the System.global.logHost advanced setting.
  6. Send a log message to all logs simultaneously.
    esxcli <conn_options> system syslog mark --message="this is a message!"
  7. Reload the syslog daemon and apply configuration changes.
    esxcli <conn_options> system syslog reload