James Thew - Fotolia
To retain and centralize vCenter logging files, take advantage of vRealize Log Insight and configure vSphere to capture tasks and events before sending them to a central appliance.
VCenter will delete events and tasks after thirty days or a similar interval depending on your vCenter Server retention settings. In your central logging server, events and tasks can persist for longer depending on the storage and retention settings of that system.
VRealize Log Insight is the simplest strategy to address this, and you can log up to 25 hosts for free with your vCenter license. Enabling logging for vCenter Server counts as one host, and then you can add some ESXi hosts, too.
This is the best choice for vCenter logging because you can directly enable event and task logging. In Figure A, you can see where to enable this feature in the administrative interface when connecting vCenter Server to vRealize Log Insight.
Events will appear in the system after you set up this integration. In Figures B and C, you can see the same event from vSphere Client and the Interactive Analysis in vRealize Log Insight.
Figure C shows additional information about tasks and events, such as the vCenter user who performed the task. At this point, you won't receive log files from vCenter Server Appliance.
Once you have a central logging server that supports syslog, you can use that to receive tasks and events from vCenter instead of vRealize Log Insight. VMware provides documentation for this vCenter logging configuration.
You must also configure the syslog host destination in the vCenter Server Appliance Management interface. You can access that web-based interface on port 5480 of your vCenter Server Appliance. In Figure D, you can see the configuration in an example test setup. It points to a host on UDP port 514, which is most often used for syslog, but you can also use TCP, TLS or other ports.
This configuration for the syslog server is necessary for vCenter Server Appliance to send its log files to your central logging server. Setting up the host configuration will only send Linux log files, such as /var/log/messages, to the system. To send events from the vCenter application that runs inside the appliance, as well, you need to enable it in the Advanced Settings of your vCenter logging configuration.
In vSphere Web Client, navigate to your vCenter object in the inventory. From the Configure tab, select Advanced Settings and filter the settings using keyword outputtosyslog. This will reveal the two settings you can use to send vCenter application logs to the central logging server.
Dig Deeper on VMware ESXi, vSphere and vCenter
Related Q&A from Rob Bastiaansen
Use ESXi firewall configuration settings and VMkernel ports to control the levels of access that different services, such as Secure Shell, have to ... Continue Reading
The host in a VMware high availability cluster uses a heartbeat network that can incorrectly report host isolation. Reconfigure your settings to ... Continue Reading
Conservative vSphere cluster settings tell DRS to only apply the recommendations that are required for host maintenance, so you might not get any ... Continue Reading