The logs generated by the VMware vSphere virtualization platform are assigned tags that begin with box.vmware. You can configure a VMware server to report the logs to a remote syslog and since these logs cannot be tagged at the source, it is necessary to forward them to a Devo Relay that will tag the events and send them to the Devo Cloud.
The full tag structure follows the format box.vmware.type. The first two elements, box.vmware, are fixed. The third element identifies the vSphere component and must be either esx or vcenter.
For more information on how tags work, see the article about Devo tags.
Configure the Devo Relay rules
You need to create rules on the Devo Relay that will apply the correct tag to the events.
Rule for ESX/ESXi events
This rule applies the box.vmware.esx tag to all events received on port 13005 of the Devo Relay. The tag will be applied as a prefix meaning that the final tag will be box.vmware.esx.sourceTag.
Rule for vCenter events
This rule applies the box.vmware.vcenter tag to all events received on port 13006 of the Devo Relay. The tag will be applied as a prefix meaning that the final tag will be box.vmware.vcenter.sourceTag.
Configuring VMware ESXi (version 5)
To send log events from ESXi to the Devo Relay, you need to set the Syslog.global.logHost parameter found in Configuration → Software → Advanced Settings, Syslog global settings as indicated below. Use the IP address of the relay and the port you will send to.
Configuring VMware ESX
Edit the/etc/syslog.conf file on the VMware ESX server to specify the Devo Relay as the remote syslog server:
Then, open the port in the ESX firewall:
~ # esxcfg-firewall -o 13005,tcp,out,logtrust && esxcfg-firewall -l
Finally, restart the syslog server:
~ # service syslog restart
Configuring VMware vCenter
Follow the vendor instructions for setting up a remote syslog server for the vCenter Server Appliance.