Configure Log Filtering on ESXi Hosts

The log filtering capability lets you modify the logging policy of the syslog service that is running on an ESXi host.

Starting with vSphere 7.0 Update 2, you can add log filters and enable log filtering by using ESXCLI. A log filter, once established, remains in place until it is removed, even across ESXi reboots.

Log filters affect all log events that are processed by the ESXi host vmsyslogd service, whether they are recorded to a log directory or to a remote syslog server.

You must enable the log filtering capability and reload the syslog daemon to activate the log filters on the ESXi host.

ESXCLI commands to configure log filters follow this pattern: esxcli system syslog config logfilter {cmd} [cmd options].

For example, to get the list of available log filters, run the following command: [root@xxx-xx-dhcp-xx-xx:~] esxcli system syslog config logfilter list.

Use the set command to activate or deactivate log filtering: [root@xxx-xx-dhcp-xx-xx:~] esxcli system syslog config logfilter set.

Use the add command to add a log filter and the remove command to remove a log filter.

Use the get command to determine if log filtering is enabled.

A log filter is specified by three components and uses the following syntax: numLogs | ident | logRegexp.

Parameter	Description
numLogs	Specifies the number of matches of the logRegexp Python regular expression that will be allowed before filtering begins.
ident	The ident string is how an application identifies itself to the syslog facility. The logRegexp filter must be associated with the same application. You can find the ident string of an application by inspecting the log files in /var/run/log. The third field of each log file begins with the ident string and ends with [.
logRegexp	Python regular expression that identifies the messages which you want to filter out.

For example, to filter out all messages from the hostd daemon that contain the word "mark" after the tenth occurrence, use the following command: esxcli system syslog config logfilter add --filter="10|Hostd|mark".

To remove the log filter, use the command esxcli system syslog config logfilter remove --filter="10|Hostd|mark".

For more information, see ESXi Syslog Options.

Prerequisites

You can create log filters to reduce the number of repetitive entries in the ESXi logs and to denylist specific log events entirely.

Install ESXCLI. See Getting Started with ESXCLI. For troubleshooting, run esxcli commands in the ESXi Shell.