Sending vCenter Logs to Centralized Syslog Server using NXlog

Intro

In my previous article called “Centralized syslog server for vSphere environment with CentOS 7 and rsyslog” I showed one of the ways how you can configure centralized Syslog server for vSphere environment. But in that article I covered only ESXi part. In this article I will describe how to send logs from your vCenter Server installed on Windows to the same Syslog server.

Now, monitoring logs files and sending their input to centralized location is not something complicated. There are lots of ways to do that. For example, you can find an article on William Lam’s blog, where he describes how you can do that using Cygwin + Syslog-ng. You can even use Windows implementations of Rsyslog and Syslog-NG (unfortunately those two are paid).

In my solution I decided to use NXlog Community Edition for Windows. It is free and very easy to configure.

After you install NXlog, is creates a Windows service, and all configuration is done in one config file.

In my lab I have is Windows 2008 R2 System with VMware vCenter Server 5.1. It actually doesn’t matter what version of vCenter you have. Solution is applicable to any version. You can even forward Windows system events with NXlog, if you will want to.

First of all you need to download the Windows installer of NXlog from this link. Next you install it on vCenter server, and then the fun part starts.

Default NXlog config

By default the config file for NXlog is located in C:\Program Files (x86)\nxlog\conf  folder and config file name is nxlog.conf.

Here is the default content of that file.

There are several configuration changes which we will need to do. First of all we will enable the syslog Module for NXlog, then add new Inputs for NXlog, next we will configure the Output by giving details of our centralized syslog collector, and in the end we will configure the Routs for outputs.

Lets do that.

Enabling Syslog Module for NXlog

To enable Syslog module for NXlog add the following block to your config

Configuring Inputs

Next, you need to configure Inputs for logs. This basically means that you need to configure which Log files should be monitored by NXlog. To find location of vCenter sevrer log files check VMware KB 1021804. In my case logs are located in “C:\ProgramData\VMware\VMware VirtualCenter\Logs\“.

Lets use vpxd.log as an example for the config. Here is how it should look like

Lets review each line one by one.

1. <Input VPXD>

With this line you are naming your Input stream. As we are monitoring vpxd.log file, we named the Input VPXD. It is up to you how you will name it. This naming is important, because you will be using them to configure Outputs.

2. File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-[0-9]*.log"

This line shows full path for the log file which need to be monitored. Wildcards are supported for the case when several files need to be monitored.

3. SavePos TRUE

This directive  specifies whether the file position should be saved when NXlog exits. The file position will be read from the cache file upon startup.

4. Exec $Message = 'vpxd ' + $raw_event;

This directive shows how you log entry will look on Output. In our example, we will be adding name of the log file to the beginning of the line. This should simplify log parsing in future.

5.  </Input>

This line just closes the Input block.

You can add as many input directives as you want, by creating Input blocks.

Configuring Outputs

Once you are done with inputs, you should configure your Output directive. Here is how it should look.

It is quite straight forward so i will not describe it line by line. Important lines here are

Module      om_tcp

and

Exec to_syslog_bsd();

First one tells what we will use TCP to connect to our centralized Syslog, and second one specifies that we will be using standard syslog format for output messages.

Configuring Output Routes

Last thing to configure is Output routes. to do that create the following block.

Here is an example

This directive says that everything what is coming from Input source VPXD should be sent to Output source out. Basically all lines from vpxd.log will be forwarded to our Centralized Syslog server.

Config File Example

Here is an example of NXlog config file from my lab. Pay attention, that, it is not covering all the log files generated by vCenter Server and it’s services. In production environment you will definitely need to review it.

 

That’s it, restart your NXlog service, and you should see the messages coming to your Centralizes Syslog server.

The following two tabs change content below.
Aram Avetisyan is an IT specialist with more than 15 years experience. He has rich background in various IT related fields like Cloud, Virtualization, SDN, Disaster Recovery, and so on. He holds several industry level certifications including but not limited to VCIX6-DCV, VCIX6-NV, VCAP-CIA. As VCI Aram is delivering VMware authorised courses. For his contribution to the community, he was recognised as vEXPERT in years 2014, 2015 and 2016.

About Aram Avetisyan

Aram Avetisyan is an IT specialist with more than 15 years experience. He has rich background in various IT related fields like Cloud, Virtualization, SDN, Disaster Recovery, and so on. He holds several industry level certifications including but not limited to VCIX6-DCV, VCIX6-NV, VCAP-CIA. As VCI Aram is delivering VMware authorised courses. For his contribution to the community, he was recognised as vEXPERT in years 2014, 2015 and 2016.

Bookmark the permalink.

3 Comments

  1. Pingback: TheVirtualist.org runs for Top vBlog 2015 - The Virtualist

  2. Is the syntax really File “C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-profiler-[0-9]*.log” (double-\\) and not File “C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd-profiler-[0-9]*.log” (single-\)?

    • Hi Erik,
      Back when i was testing it in 2014 the \\ is what worked for me. They may have changed this in two years, so i would suggest to check latest NXlLOG documentation.

      Please, let us know on this page if // or only / worked for you.

      Thanks in advance!

Comments are closed