[DPP] vSphere Subscription and Cloud Services

 View Only

 ESXi syslog configuration

Sanjeev Kumar's profile image
Sanjeev Kumar posted May 07, 2024 06:01 AM

Hello,

I am trying to forward the ESXi logs to the remote server. The log level is set to "debug". They syslog service is running and ESXi firewall ports are also enabled.

The logs are not getting forwarded to the remote host getting the socket error. There is no external firewall configured between the ESXi host and remote server

The configuration looks as below

 Allow Vsan Backing: false
   Check Certificate Revocation List: false
   Dropped Log File Rotation Size: 100
   Dropped Log File Rotations: 10
   Enforce SSLCertificates: false
   Local Log Output: /vmfs/volumes/61a77e17-a2b64698-b1ce-9cb6548b0008/scratch/log
   Local Log Output Is Configured: true
   Local Log Output Is Persistent: true
   Local Logging Default Rotation Size: 1024
   Local Logging Default Rotations: 8
   Log Level: debug
   Log To Unique Subdirectory: true
   Message Queue Drop Mark: 90
   Remote Host: udp://remote server:514
   Remote Host Connect Retry Delay: 180
   Remote Host Maximum Message Length: 1024
   Strict X509Compliance: false

The vmsyslog.debug has the below output

2024-05-07T09:58:25.198Z vmsyslog.loggers.network : DEBUG   ] remote server IP:514 - UDP socket error : [Errno 111] Connection refused
2024-05-07T09:58:25.418Z vmsyslog.loggers.network : DEBUG   ] remote server IP:514 - UDP socket error : [Errno 111] Connection refused
2024-05-07T09:58:26.489Z vmsyslog.loggers.network : DEBUG   ] remote server IP:514 - UDP socket error : [Errno 111] Connection refused
[root@alva-esxtest02:/etc/vmsyslog.conf.d]

Florence Gayhart's profile image
Florence Gayhart posted Jul 01, 2024 02:55 AM
Jason McClellan updated Jul 02, 2024 01:30 PM

Hello, @Sanjeev Kumar - edited do not post links  @Jason McClellan Platform Admin

It looks like you’re encountering a common issue with forwarding ESXi logs to a remote server. The error message UDP socket error : [Errno 111] Connection refused indicates that the connection to the remote server on port 514 is being refused. Here are some steps to troubleshoot and resolve this issue:

Verify Remote Server Configuration:
Ensure that the remote server is configured to accept syslog messages on port 514.
Check if the syslog service on the remote server is running and listening on the correct port.
Network Connectivity:
Test the network connectivity between the ESXi host and the remote server using tools like nc (netcat) or telnet:

nc -zv remote_server_ip 514

This command checks if the remote server is accepting connections on port 514.

Firewall Rules:
Double-check the firewall rules on both the ESXi host and the remote server to ensure that port 514 is open and not being blocked.
Syslog Configuration:
Ensure that the syslog configuration on the ESXi host is correct. You can use the following command to set the remote syslog server:

esxcli system syslog config set --loghost='udp://remote_server_ip:514'
esxcli system syslog reload

Verify the configuration:

esxcli system syslog config get

Check for Errors in Logs:
Look for any additional error messages in the ESXi logs that might provide more insight into the issue.
Update ESXi and Syslog Services:
Ensure that your ESXi host and syslog services are up to date with the latest patches and updates.
By following these steps, you should be able to identify and resolve the issue preventing the logs from being forwarded to the remote server. 

Best Regard,
Florence Gayhart