Starting with ESXi 8.0, the format of log files is standardized and is expressed in Augmented Backus-Naur Form (ABNF).

In ESXi 8.0, log files are written either directly, from a single service such as VMX, or indirectly, when logs from a service are submitted to a syslog. For example, VMX always writes log messages in the vmware.log file of each virtual machine. To spare system resources, VMX does not submit log messages to the syslog. On the other hand, in some log files that vmsyslogd generates, you see messages from multiple programs, because the ESXi syslog daemon creates and manages all log files, and messages to these files, from multiple services.

Format for direct log messages:

Parameter Value
LOG-MSG HEADER SP MSG
HEADER TIMESTAMP SP SEVERITY SP THREAD-NAME SP OPID
TIMESTAMP FULL-DATE T FULL-TIME (Complies to RFC 5424 with the requirement for UTC/GMT formatting and resolution in milliseconds, or more granular where possible.)
FULL-DATE DATE-FULLYEAR - DATE-MONTH - DATE-MDAY
DATE-FULLYEAR 4DIGIT
DATE-MONTH 2DIGIT ; 01-12
DATE-MDAY 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on month/year
FULL-TIME TIME-HOUR : TIME-MINUTE : TIME-SECOND[TIME-SECFRAC] Z
TIME-HOUR 2DIGIT ; 00-23
TIME-MINUTE 2DIGIT ; 00-59
TIME-SECOND 2DIGIT ; 00-59
TIME-SECFRAC '.' 1*6DIGIT
SEVERITY SEVERITY-STRING SEVERITY-VALUE [LINE-MARKER]
SEVERITY-STRING Em/ Al / Cr / Er / Wa / No / In / Db (The 8 severity levels specified in RFC 5424 are abbreviated as follows:
  • Em - Emergency
  • Al - Alert
  • Cr - Critical
  • Er - Error
  • Wa - Warning
  • No - Notice
  • In - Informational
  • Db - Debug
SEVERITY-VALUE ( *DIGIT ) (The SEVERITY-VALUE is an optional expression of the numeric value associated with the SEVERITY-STRING. This allows levels supported by a logger to be collapsed into the 8 required strings with no loss of information (e.g. Db(5) - debug, level 5).)
LINE-MARKER + (The LINE-MARKER is added to each subsequent line generated from a multi-line submission. It identifies multiline submissions and prevents a log injection security attack.)
NILVALUE - (A single threaded program might not have a thread name and NILVALUE is acceptable.)
THREAD-NAME NILVALUE / 1*32PRINTUSASCII (The component (APP-NAME) is implied when a single program writes the file and no component field is necessary, only the thread name.)
OPID NILVALUE / 1*128UTF-8-STRING
STRUCTURED-DATA 1*SD-ELEMENT
SD-ELEMENT [ SD-ID *(SP SD-PARAM) ]
SD-PARAM PARAM-NAME %d34 PARAM-VALUE %d34
SD-ID SD-NAME
PARAM-NAME SD-NAME
PARAM-VALUE UTF-8-STRING ; characters '', '\' and ']' MUST be escaped.
SD-NAME 1*32PRINTUSASCII ; except '', SP, ']', %d34 ()
MSG [STRUCTURED-DATA SP] UTF-8-STRING

Format for log files that the vmsyslogd service manages:

Parameter Value
LOG-MSG HEADER SP MSG
HEADER TIMESTAMP SP SEVERITY SP APP-NAME [PROC-IDENTIFIER] :
APP-NAME 1*32PRINTUSASCII
PROC-IDENTIFIER [ *DIGITS ] ; the PID associated with APP-NAME
TIMESTAMP FULL-DATE T FULL TIME (resolution in milliseconds or more granular where possible.)
FULL-DATE DATE-FULLYEAR - DATE-MONTH - DATE-MDAY
DATE-FULLYEAR 4DIGIT
DATE-MONTH 2DIGIT ; 01-12
DATE-MDAY 2DIGIT ; 01-28, 01-29, 01-30, 01-31 based on month/year
FULL-TIME TIME-HOUR : TIME-MINUTE : TIME-SECOND[TIME-SECFRAC] Z
TIME-HOUR 2DIGIT ; 00-23
TIME-MINUTE 2DIGIT ; 00-59
TIME-SECOND 2DIGIT ; 00-59
TIME-SECFRAC '.' 1*6DIGIT
SEVERITY-STRING Em/ Al / Cr / Er / Wa / No / In / Db (The 8 severity levels specified in RFC 5424 are abbreviated as follows:
  • Em - Emergency
  • Al - Alert
  • Cr - Critical
  • Er - Error
  • Wa - Warning
  • No - Notice
  • In - Informational
  • Db - Debug
SEVERITY SEVERITY-STRING PRI-STRING [LINE-MARKER]
PRIVAL 1*3DIGIT ; range 0 .. 191 (the MSG PRI; contains facility and severity values, ORed together)
PRI-STRING ( PRIVAL ) (The PRIVAL contains the bits from the message PRI. This allows one to see the Facility of the message, as well as the severity bits themselves._
LINE-MARKER + (The LINE-MARKER is added to each subsequent line generated from a multi-line submission. It identifies multiline submissions and prevents a log injection security attack.)
STRUCTURED-DATA 1*SD-ELEMENT
SD-ELEMENT [ SD-ID *(SP SD-PARAM) ]
SD-PARAM PARAM-NAME %d34 PARAM-VALUE %d34
SD-ID SD-NAME
PARAM-NAME SD-NAME
PARAM-VALUE UTF-8-STRING ; characters '', '\' and ']' MUST be escaped.
SD-NAME 1*32PRINTUSASCII ; except '', SP, ']', %d34 ()
MSG [STRUCTURED-DATA SP] UTF-8-STRING

Audit Records

ESXi audit records, with facility code 13, are compliant to both RFC 3164 and 5424 formats and you find them in the structured data section. In the audit record, you also find event-based traceability information when such data is available. Audit records are stored in a special format, not a regular log file. You can access audit records locally by using the viewAudit program and the Virtual Infrastructure Management functionality FetchAuditRecords. Do not read, use, or edit an audit record storage file directly. Locally stored audit records comply with RFC 5424 transmission format where the HOSTNAME and MSGID are always NILVALUE.