VCAP6: 5.3 – Manage and Analyze vSphere Log Files

Posted by on in | 4,049 Views | Leave a response

Objective 5.3 Topics:

  • Generate vSphere Log Bundles
  • Configure and Test Centralized Logging
  • Analyze Log Entries to Obtain Configuration Information
  • Analyze Log Entries to Identify and Resolve Issues
  • Configure Logging Levels for vSphere

Generate vSphere Log Bundles

vCenter Server Appliance 6.0 logs are located in the /var/log/vmware folder.

We can review these logs several different ways.

  1. From the DCUI of the ESXi Host

logs1

2. Web Browser

https://esxi_fqdn_or_ip/host

web-browser

 

3. C# Client (Fat Client)

fat-client

4. vCenter Web Client

vcenter-log

 

Auditing ESXi Shell Logins and Commands

We can go to the logs to see which user and client issued requests.

We can do this a bunch of different ways but I’ll do it from the command line directly into the host.

Open SSH, connect to the host and navigate to the directory where the logs reside /var/log/

esxi-logs

We can read the logs of interest. In this case we’ll read the auth.log and shell.log to see what’s going on.

Auth.log – Looks like someone connected recently.

auth-log

Shell.log – Here we can see what commands were issued and when.

shell-log

Generate vSphere Log Bundles

From the C# Client:

export-logs

esxi-logs1

From the Web Client:

esxi-logs2

esxi-logs3

And download.

From the Web Client instead vCenter.

export-logs4

Collect Logs Using the VM-Support Command in ESXi 

cli-logs1

This will take a minute. Once it’s completed we’ll then transfer them to a datastore so we can download them. Alternatively we could always use WinSCP to grab them. I guess it’s a matter of preference or availability.

Done and lists the location of the logs.

cli-logs2

Move the logs to a datastore for download and send to VMware or to analyze offline.

cli-logs3

There are tons of ways to download support bundles. These are just a few ways. I don’t want to go into them all.

Configure and Test Centralized Logging

ESXi 6.0 hosts run a syslog service (vmsyslogd) that provides a standard mechanism for logging messages from the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch volume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate storage location on disk and to send the logs across the network to a syslog server.

There are 5 configurable options we can set:

Syslog.Global.logDir – A location on a local or remote datastore and path where logs are saved to.

Example: [Datastore Name]/Directory/Filename

Syslog.global.logHost – A comma-delimited list of remote servers where logs are sent using the syslog protocol. If the logHost field is blank, no logs are forwarded. Include the protocol and port, similar to tcp://hostname:514 or udp://hostname:514

Syslog.global.logDirUnique – True/False. Set to true will create individual directories per host (w/ host name) in the specified folder.

Syslog.global.defaultRotate – Max number of logs to keep locally. Does not effect the remote log server retention.

Syslog.global.defaultSize – Max size (in KB) of each log file before it is rotated or rolled over.

In the Web Client: 

syslog2

 

In the ESXi CLI

syslog1

Example to configure the settings:

esxcli system syslog config set –logdir= /path/to/vmfs/directory/ –loghost= RemoteHostname –logdir-unique=true|false –default-rotate= NNN –default-size= NNN

Configuring Local/remote Logging with Host Profiles

syslog3

Redirect vCenter Appliance Sys Logs to another location

vcsa-logs1

vcsa-logs2

Change Global Log Level (Host Agent)

log-level1

log-level2

VPXA Logging Level 

log-level3

vCenter Logging Level

log-level4

Questions / Comments?

This site uses Akismet to reduce spam. Learn how your comment data is processed.