VMware vSphere

Assuming that you'd want to review logs on a daily (or shift) basis, as I understand things (and I'm new to vmware), there are event/service logs and vpxd logs.

Is there any advantage to viewing the vpxd logs or would the event/service logs be the logs of interest?

Also, does vSphere Suite 5 (or 4) have audit log analysis tools? I have found any so far and someone mentioned a separate "tools" software download. Could someone please provide some comment/info that would be helpful/useful in terms of which logs are best for what, audit analysis tools and where/how to acquire them?

Thanks.

The most important log files to be checked and the ones I monitor closely are under /var/log

For ESX:

/var/log/vmkernel: messages related to vmkernel, network, storage & virtual machines

/var/log/messages: service console messages

/var/log/vmware/hostd.log: messages related to host agent and also virtual machine messages for the tasks performed via vCenter.

For ESXi

/var/log/messages: messages related to vmkernel, network, storage & virtual machines. Also, hostd and vpxd merged

/var/log/hostd: messages related to host agent and also virtual machine messages for the tasks performed via vCenter.

The above list is for vSphere 4 which may change a bit for vSphere5. Plus this is not an exhaustive list and there are other logs too for ex: for HA (aam) and etc. Below kb article provides a comprehensive list of the logs in ESXi 4 & a pointer link to ESXi 5.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1021801

Also, with vSphere 4 & 5, the list of alarms in vCenter has been made quite comprehensive. You can monitor most of the components using vSphere alarms and have it configured to take certain action, send snmp traps and even send an email to your mailbox (which can be quite useful if you have 24x7 teams and no commercial monitoring tool).

I wouldn't worry about the vpxd logs unless I have an issue with the vCenter service or tasks failing in the vCenter.

Now, there are multiple options for you to consolidate the above logs. One of which is to configure the vMA appliance as a syslog server and then use any free/opensource syslog server to view/analyze the logs. Below is a comprehensive article on configure vMA as a syslog:

http://www.simonlong.co.uk/blog/2010/05/28/using-vma-as-your-esxi-syslog-server/

In vSphere5, you can even configure your vCenter as a syslog server.

In essence, there are multiple options and may vary depending on the version you're using and things you expect to monitor. But I hope the above should help you get an understanding of the options and get started :smileyhappy: