James Thew - Fotolia

How do you enable centralized vCenter logging?

Centralize vCenter log files with vRealize Log Insight. Configuration with vSphere is simple and enables the centralization and transmission of event and task logs.

To retain and centralize vCenter logging files, take advantage of vRealize Log Insight and configure vSphere to capture tasks and events before sending them to a central appliance.

VCenter will delete events and tasks after thirty days or a similar interval depending on your vCenter Server retention settings. In your central logging server, events and tasks can persist for longer depending on the storage and retention settings of that system.

VRealize Log Insight is the simplest strategy to address this, and you can log up to 25 hosts for free with your vCenter license. Enabling logging for vCenter Server counts as one host, and then you can add some ESXi hosts, too.

This is the best choice for vCenter logging because you can directly enable event and task logging. In Figure A, you can see where to enable this feature in the administrative interface when connecting vCenter Server to vRealize Log Insight.

VRealize Log Insight settings
Figure A. Enable event and task logging in vRealize Log Insight.

Events will appear in the system after you set up this integration. In Figures B and C, you can see the same event from vSphere Client and the Interactive Analysis in vRealize Log Insight.

Logs in vSphere Client
Figure B. Events appear in the vSphere monitoring system.
Tasks and events in vRealize Log Insight
Figure C. Details of events appear in vRealize Log Insight.

Figure C shows additional information about tasks and events, such as the vCenter user who performed the task. At this point, you won't receive log files from vCenter Server Appliance.

Once you have a central logging server that supports syslog, you can use that to receive tasks and events from vCenter instead of vRealize Log Insight. VMware provides documentation for this vCenter logging configuration.

You must also configure the syslog host destination in the vCenter Server Appliance Management interface. You can access that web-based interface on port 5480 of your vCenter Server Appliance. In Figure D, you can see the configuration in an example test setup. It points to a host on UDP port 514, which is most often used for syslog, but you can also use TCP, TLS or other ports.

Syslog configuration
Figure D. Configuration of a test setup pointing to a host on UDP port 514

This configuration for the syslog server is necessary for vCenter Server Appliance to send its log files to your central logging server. Setting up the host configuration will only send Linux log files, such as /var/log/messages, to the system. To send events from the vCenter application that runs inside the appliance, as well, you need to enable it in the Advanced Settings of your vCenter logging configuration.

Advanced settings in vSphere
Figure E. Use Advanced Settings to send logs.

In vSphere Web Client, navigate to your vCenter object in the inventory. From the Configure tab, select Advanced Settings and filter the settings using keyword outputtosyslog. This will reveal the two settings you can use to send vCenter application logs to the central logging server.

Dig Deeper on VMware ESXi, vSphere and vCenter

Virtual Desktop
Data Center
Cloud Computing