Wednesday, November 30, 2011

vSphere 5 - VCSA and syslog with graylog2

As you may know the vCenter Server Appliance can act as a syslog server for the ESX host-systems. The appliance logs all messages into a log partition (/storage/log) what´s not a real feature if you or your customer uses a syslog server. My customer actually uses Graylog2 ( which is a real cool tool.

In the base configuration you aren´t able to insert a remote syslog server, so you have to access the vCenter Server appliance with ssh. Here you go to the /etc/syslog-ng directory.

In this directory there is a config file called: syslog-ng.conf which you have to open with an editor (vim/less for example).

Now search the line:
# Enable this and adopt IP to send log messages to a log server.
#destination logserver { udp("" port(514)); };
#log { source(src); destination(logserver); };

end enter your syslog host, port. Please don´t forget to remove the # before the line :) After these settings you can enhance the Global Options to send the fully qualified domain name:

options { long_hostnames(off); sync(0); perm(0640); stats(3600); use_fqdn(yes); };

After the changes restart the syslog deamon with /etc/init.d/syslog restart and check with tcpdump port 514 if the packages are send. 

Happy logging!

1 comment:

  1. Can you also get the VCSA to send the VC-events to the syslog server?