I have a customer who doesn’t have a syslog server configured in his vSphere environment. I first recommended we install vRealize Log Insight, it’s a great product and has ton of insightful information when used with vCenter, vSphere and NSX. But the customer didn’t want to worry about licensing, so we decided to stand up a CentOS rsyslog server to show the power of having a centralized syslog. This is especially true for NSX installations, I mean using syslog in the DFW alone will save a ton of troubleshooting time.
This article assumes you know how to use vi or something similar in the Linux shell. Here we go..
Once you have a new CentOS 7 virtual machine deployed, install open-vm-tools and rsyslog.
|[root@stlsyslog ~]# yum install open-vm-tools rsyslog|
Edit the rsyslog.conf file
|[root@stlsyslog ~]# vi /etc/rsyslog.conf|
And UN-comment (remove the #) from the syslog input module and ports for both udp and tcp. Save and close vi.
|# Provides UDP syslog reception
$UDPServerRun 514# Provides TCP syslog reception
We now need to start rsyslog
|[root@stlsyslog ~]# systemctl start rsyslog.service
[root@stlsyslog ~]#service rsyslog start
Now check that it is running and listening on the correct ports.
|[root@stlsyslog ~]# service rsyslog status|
And that its listening!
|[root@stlsyslog ~]# netstat -antup | grep 514|
Syslog is now enabled and running, however by default CentOS has the firewall enabled. So issue the following commands to allow for tcp/514 and udp/514 incoming. But first check if its running
|[root@stlsyslog ~]# firewall-cmd –state|
If it is running, check for the active zones in firewalld
|[root@stlsyslog ~]# firewall-cmd –get-active-zones|
Ok, in my case, the firewall is running and the only active zone is the default public zone. So lets allow for tcp/514 and udp/514 incoming.
|[root@stlsyslog ~]# firewall-cmd –permanent –zone=public –add-port=514/tcp
[root@stlsyslog ~]# firewall-cmd –permanent –zone=public –add-port=514/udp
Now reload the firewall so these settings take effect.
|[root@stlsyslog ~]# firewall-cmd –reload|
Now configure vCenter, vSphere, NSX Manager, everything to log to your new Remote Syslog Server. Then verify you have incoming.
|[root@stlsyslog ~]# tail -f /var/log/messages|
Hope this got you going on the rsyslog train.