Starting with ESXi 8.0, the format of log files is standardized and is expressed in Augmented Backus-Naur Form (ABNF).
In ESXi 8.0, log files are written either directly, from a single service such as VMX, or indirectly, when logs from a service are submitted to a syslog. For example, VMX always writes log messages in the vmware.log file of each virtual machine. To spare system resources, VMX does not submit log messages to the syslog. On the other hand, in some log files that vmsyslogd generates, you see messages from multiple programs, because the ESXi syslog daemon creates and manages all log files, and messages to these files, from multiple services.
Format for direct log messages:
| Parameter | Value |
| LOG-MSG | HEADER SP MSG |
| HEADER | TIMESTAMP SP SEVERITY SP THREAD-NAME SP OPID |
| TIMESTAMP | FULL-DATE T FULL-TIME (Complies to RFC 5424 with the requirement for UTC/GMT formatting and resolution in milliseconds, or more granular where possible.) |
| FULL-DATE | DATE-FULLYEAR - DATE-MONTH - DATE-MDAY |
| DATE-FULLYEAR | 4DIGIT |
| DATE-MONTH | 2DIGIT ; 01-12 |
| DATE-MDAY | 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on month/year |
| FULL-TIME | TIME-HOUR : TIME-MINUTE : TIME-SECOND[TIME-SECFRAC] Z |
| TIME-HOUR | 2DIGIT ; 00-23 |
| TIME-MINUTE | 2DIGIT ; 00-59 |
| TIME-SECOND | 2DIGIT ; 00-59 |
| TIME-SECFRAC | '.' 1*6DIGIT |
| SEVERITY | SEVERITY-STRING SEVERITY-VALUE [LINE-MARKER] |
| SEVERITY-STRING | Em/ Al / Cr / Er / Wa / No / In / Db (The 8 severity levels specified in RFC 5424 are abbreviated as follows:
|
| SEVERITY-VALUE | ( *DIGIT ) (The SEVERITY-VALUE is an optional expression of the numeric value associated with the SEVERITY-STRING. This allows levels supported by a logger to be collapsed into the 8 required strings with no loss of information (e.g. Db(5) - debug, level 5).) |
| LINE-MARKER | + (The LINE-MARKER is added to each subsequent line generated from a multi-line submission. It identifies multiline submissions and prevents a log injection security attack.) |
| NILVALUE | - (A single threaded program might not have a thread name and NILVALUE is acceptable.) |
| THREAD-NAME | NILVALUE / 1*32PRINTUSASCII (The component (APP-NAME) is implied when a single program writes the file and no component field is necessary, only the thread name.) |
| OPID | NILVALUE / 1*128UTF-8-STRING |
| STRUCTURED-DATA | 1*SD-ELEMENT |
| SD-ELEMENT | [ SD-ID *(SP SD-PARAM) ] |
| SD-PARAM | PARAM-NAME %d34 PARAM-VALUE %d34 |
| SD-ID | SD-NAME |
| PARAM-NAME | SD-NAME |
| PARAM-VALUE | UTF-8-STRING ; characters '', '\' and ']' MUST be escaped. |
| SD-NAME | 1*32PRINTUSASCII ; except '', SP, ']', %d34 () |
| MSG | [STRUCTURED-DATA SP] UTF-8-STRING |
Format for log files that the vmsyslogd service manages:
| Parameter | Value |
| LOG-MSG | HEADER SP MSG |
| HEADER | TIMESTAMP SP SEVERITY SP APP-NAME [PROC-IDENTIFIER] : |
| APP-NAME | 1*32PRINTUSASCII |
| PROC-IDENTIFIER | [ *DIGITS ] ; the PID associated with APP-NAME |
| TIMESTAMP | FULL-DATE T FULL TIME (resolution in milliseconds or more granular where possible.) |
| FULL-DATE | DATE-FULLYEAR - DATE-MONTH - DATE-MDAY |
| DATE-FULLYEAR | 4DIGIT |
| DATE-MONTH | 2DIGIT ; 01-12 |
| DATE-MDAY | 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on month/year |
| FULL-TIME | TIME-HOUR : TIME-MINUTE : TIME-SECOND[TIME-SECFRAC] Z |
| TIME-HOUR | 2DIGIT ; 00-23 |
| TIME-MINUTE | 2DIGIT ; 00-59 |
| TIME-SECOND | 2DIGIT ; 00-59 |
| TIME-SECFRAC | '.' 1*6DIGIT |
| SEVERITY-STRING | Em/ Al / Cr / Er / Wa / No / In / Db (The 8 severity levels specified in RFC 5424 are abbreviated as follows:
|
| SEVERITY | SEVERITY-STRING PRI-STRING [LINE-MARKER] |
| PRIVAL | 1*3DIGIT ; range 0 .. 191 (the MSG PRI; contains facility and severity values, ORed together) |
| PRI-STRING | ( PRIVAL ) (The PRIVAL contains the bits from the message PRI. This allows one to see the Facility of the message, as well as the severity bits themselves._ |
| LINE-MARKER | + (The LINE-MARKER is added to each subsequent line generated from a multi-line submission. It identifies multiline submissions and prevents a log injection security attack.) |
| STRUCTURED-DATA | 1*SD-ELEMENT |
| SD-ELEMENT | [ SD-ID *(SP SD-PARAM) ] |
| SD-PARAM | PARAM-NAME %d34 PARAM-VALUE %d34 |
| SD-ID | SD-NAME |
| PARAM-NAME | SD-NAME |
| PARAM-VALUE | UTF-8-STRING ; characters '', '\' and ']' MUST be escaped. |
| SD-NAME | 1*32PRINTUSASCII ; except '', SP, ']', %d34 () |
| MSG | [STRUCTURED-DATA SP] UTF-8-STRING |
Audit Records
ESXi audit records, with facility code 13, are compliant to both RFC 3164 and 5424 formats and you find them in the structured data section. In the audit record, you also find event-based traceability information when such data is available. Audit records are stored in a special format, not a regular log file. You can access audit records locally by using the viewAudit program and the Virtual Infrastructure Management functionality FetchAuditRecords. Do not read, use, or edit an audit record storage file directly. Locally stored audit records comply with RFC 5424 transmission format where the HOSTNAME and MSGID are always NILVALUE.
