After you enable remote streaming, vCenter Server starts streaming and only the newly generated events are streamed to the remote syslog server.

All syslog messages begin with a specific prefix. You can distinguish the vCenter Server events from other syslog messages by their Event prefix.

The syslog protocol limits the length of syslog messages to 1024 characters. Messages that are longer than 1024 characters split into multiple syslog messages.

In the syslog server, events have the following format: 
<syslog-prefix> : Event [eventId] [partInfo] [createdTime] [eventType] [severity] [user] [target] [chainId] [desc]
Item Description
syslog-prefix Displays the syslog prefix. The <syslog-prefix> is determined by the remote syslog server configuration.
eventId Displays the unique ID of the event message. The default value is Event.
partInfo Displays whether the message is split into parts.
createdTime Displays the time when the event was generated.
eventType Displays the event type.
severity Displays whether the event is a piece information, a warning, or an error.
user Displays the name of the user who generated the event.
target Displays the object the event refers to.
chainId Displays information about the parent or the group ID.
desc Displays the description of the event.

Split of Long Event Message into Multiple Syslog Messages

Events that are longer than 1024 characters split into multiple syslog messages in the following manner: 
<syslog-prefix> : Event [eventId] [1-X] [payload-part-1]
<syslog-prefix> : Event [eventId] [2-X] [payload-part-2] 
...
<syslog-prefix> : Event [eventId] [X-X] [payload-part-X]

The X stands for the number of the event message parts.

Forward vCenter Server Log Files to Remote Syslog Server

You can forward the vCenter Server log files to a remote syslog server to conduct an analysis of your logs.

Note: ESXi can be configured to send log files to a vCenter Server rather than storing them to a local disk. The recommended maximum numbers of supported hosts to collect logs from is 30. See http://kb.vmware.com/s/article/2003322 for information on how to configure ESXi log forwarding. This feature is intended for smaller environments with stateless ESXi hosts. For all other cases, use a dedicated log server. Using vCenter Server to receive ESXi log files might impact vCenter Server performance.

Prerequisites

Log in to the vCenter Server Management Interface as root.

Procedure

  1. In the vCenter Server Management Interface, select Syslog.
  2. In the Forwarding Configuration section, click Configure if you have not configured any remote syslog hosts. Click Edit if you already have configured hosts.
  3. In the Create Forwarding Configuration pane, enter the server address of the destination host. The maximum number of supported destination hosts is three.
  4. From the Protocol drop-down menu, select the protocol to use.
    Menu Item Description
    TLS Transport Layer Security
    TCP Transmission Control Protocol
    RELP Reliable Event Logging Protocol
    UDP User Datagram Protocol
  5. In the Port text box, enter the port number to use for communication with the destination host.
  6. In the Create Forwarding Configuration pane, click Add to enter another remote syslog server.
  7. Click Save.
  8. Verify that the remote syslog server is receiving messages.
  9. In the Forwarding Configuration section, click Send Test Message.
  10. Verify on the remote syslog server that the test message was received.
    The new configuration settings are shown in the Forwarding Configuration section.

Configure Streaming of Events to a Remote Syslog Server

You can also configure writing of events to the vCenter Server streaming facility. Streaming events is supported only for the vCenter Server. The streaming of events to a remote syslog server is disabled by default. You can enable and configure the streaming of vCenter Server events to a remote syslog server from the vCenter Server Management Interface.

Procedure

  1. In the vSphere Client, navigate to the vCenter Server instance.
  2. Select the Configure tab.
  3. Expand Settings option, and select Advanced Settings.
  4. Click EDIT SETTINGS.
  5. Click on the filter text box present in the Name column of the table header. Type vpxd.event, and press Enter.
  6. Enable or disable the vpxd.event.syslog.enabled option.
    By default, this option is enabled.
  7. Click SAVE.