PREVIOUS box.unix



The logs generated by VMware virtualization infrastructure are labeled with the  box.vmware.type tag.

You can configure a VMware server to report the logs to a remote syslog. Since these logs cannot be tagged at the source, it is necessary to report them to an In-house Relay that will tag them as box.vmware.type and send them to Devo.

Tag structure

  • The element type is fixed and identifies the type and format of the event. It takes the following structure: box.vmware.esx

For more information on how tags work, see the Introduction to tags article.

In-house Relay configuration

First step is to install an In-house Relay for the correct tagging of the logs and then you can start defining the new rule for the ESXi logs.

ESX/ESXi rule

With this rule, all the events coming to the port you decide to configure in the In-house Relay (e.g.13005) are tagged as box.vmware.esx. Additionally, this tag is added as prefix to each message from the source tag, so the final format of the tag is box.vmware.esx.sourceTag

Configure the rules parameters from the Administration → Relays area as it follows: 

  • Source Port → 13005
  • Target Tag → box.vmware.esx
  • Check the following box:
    • isPrefix (to add the Target Tag to the events original source Tag)

VMware ESXi 5 configuration

You can indicate the remote syslog server by editing the parameter from the vSphere client advanced configuration (Configuration → Software → Advanced Settings area):

Another option is from the ESXi sever Shell by accessing with administrator privileges with SSH:

VMware ESXi remote syslog configuration

~ # esxcli system syslog config set --loghost='tcp://'
~ # esxcli system syslog config get
   Default Rotation Size: 1024
   Default Rotations: 8
   Log Output: /scratch/log
   Log To Unique Subdirectory: false
   Remote Host: tcp://

In both cases, we will use the protocol ://hostname:port syntax to specify the loghost (e.g. tcp://myrelay.local.lan:1234). 

If the VMware server is not able to resolve the indicated hostname from the shell, you will be notified by an error message:

If you have specified a port (other than 514), you should register it in the ESCi firewall services list, by following the below steps:

  • Create the file  "/etc/vmware/firewall/devo.xml" with the following content

    VMware ESXi firewall port definition

      <!-- devo relay -->
      <service id="0033">
        <rule id='0000'>
  • Refresh the firewall policy and check if the new port has been enabled.

    VMware ESXi firewall policy refresh

    ~ # esxcli network firewall refresh
    ~ # esxcli network firewall ruleset list
    Name                Enabled
    ------------------  -------
    sshServer              true
    sshClient             false
    devo                   true
  • Check if the configuration has been successful by generating some test events:

    VMware ESXi firewall test events

    ~ # for i in `seq 1 10`; do logger "vmware esxi logging test $i"; done

VMware EXS configuration

  • In order to indicate the remote syslog server, you should access the server via shell and add the following to the /etc/syslog.conf file:

    /etc/syslog.conf VMware ESX file

    *.*     @
  • Now open the port in the ESX firewall:

    VMware EXS firewall port definition

    ~ # esxcfg-firewall -o 13005,tcp,out,devo && esxcfg-firewall -l
  • Restart the syslog server:

    VMware ESX syslog restart

    ~ # service syslog restart

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.


PREVIOUS box.unix