Starting with ESXi 8.0,the syslog service uses three parameters to define messages and audit records - protocol, formatting, and framing.
The supported protocols are UDP, TCP, and TLS (SSL). Formatting of syslog messages is defined by either RFC 3164 or RFC 5424. Framing specifies how a message is encapsulated. Framing of encapsulated messages is defined as transparent, also called octet_counting, or non-transparent, if a message is not encapsulated. Transparent framing ensures that new lines embedded in a message do not confuse a syslog collector. Syslog messages sent by using the UDP protocol are considered transparently framed; a syslog collector is expected to understand this and accept the transmission as a single message.
RFC 3164 sets the maximum total length of a syslog message at 1024 bytes, while RFC 5424 specifies that syslog messages of length 2048 or less should be safely accepted. Modern systems generally accept messages longer than these specifications, but you need to confirm the actual maximum length with the specific syslog infrastructure and parameters of your environment.
The default maximum length for remote host messages in ESXi is 1 KiB. You can increase the maximum message length to up to 16 KiB. However, raising this value above 1 KiB does not ensure that long transmissions arrive untruncated to a syslog collector. For example, when the syslog infrastructure external to ESXi has a maximum message length less than the maximum message length of ESXi.
Syslog messages that the vmsyslogd transmits consist of structured data, a property list formatted in compliance with RFC 5424, and free format, or unstructured, data.
When a message is longer than the maximum length, ESXi 8.0 mitigates the message, trying to preserve as much of the structured data as possible.
When a message is mitigated, three parameters are either added to existing structured data or structured data is created to contain these parameters: msgModified, remoteHostMaxMsgLen, and originalLen .
The msgModified parameter indicates how the mitigation impacts the message: only structured data, only unstructured data, or both.
The remoteHostMaxMsgLen parameter specifies the maximum message length that ESXi can handle.
The originalLen parameter specifies the message length before it is mitigated.
Supported options for protocols, formatting and framing of ESXi syslog messages:
| Formatting | Framing | UDP | TCP | SSL | Comments |
|---|---|---|---|---|---|
| Unspecified | Unspecified | Supported RFC 5426 |
Supported | Supported | Formatting of messages complies to RFC 3164, only timestamps are in RFC 3339 format. Structured data is prepended to each message. Framing defaults to non-transparent with TCP or SSL (TLS) and embedded newlines in structured data might corrupt messages. With UDP, packets are framed. |
| Unspecified | Non_transparent | Forbidden | Supported | Supported | Formatting of messages complies to RFC 3164, only timestamps are in RFC 3339 format. Structured data is prepended to each message. Framing defaults to non-transparent with TCP or SSL (TLS) and embedded newlines in structured data might corrupt messages. |
| Unspecified | Octet_counting | Forbidden | Supported RFC 6587 |
Supported RFC 6587 |
Formatting of messages complies to RFC 3164, only timestamps are in RFC 3339 format. Structured data is prepended to each message. |
| RFC 5424 | Unspecified | Supported RFC 5426 |
Supported RFC 5425 |
Supported RFC 5424 |
Formatting of messages complies to RFC 5424. Framing defaults to octet-counting with TCP or SSL (TLS). With UDP, framing might not be explicitly specified. |
| RFC 5424 | Non_transparent | Forbidden | Not Supported | Not Supported | Not supported because embedded newlines in structured data might create corrupted messages. |
| RFC 5424 | Octet_counting | Forbidden | Supported RFC 5425 |
Supported RFC 5425 |
Formatting of messages complies to RFC 5424. |
| RFC 3164 | Unspecified | Supported RFC 5426 |
Supported | Supported | Formatting of messages complies to RFC 3164, only timestamps are in RFC 3339 format. Structured data is prepended to each message. Framing defaults to non-transparent with TCP or SSL (TLS) and embedded newlines in structured data might corrupt messages. With UDP, packets are framed. |
| RFC 3164 | Non_transparent | Forbidden | Supported | Supported | Formatting of messages complies to RFC 3164, only timestamps are in RFC 3339 format. Structured data is prepended to each message. Framing defaults to non-transparent with TCP or SSL (TLS) and embedded newlines in structured data might corrupt messages. |
| RFC 3164 | Octet_counting | Forbidden | Supported RFC 6587 |
Supported RFC 6587 |
Formatting of messages complies to RFC 3164, only timestamps are in RFC 3339 format. Structured data is prepended to each message. |
