Sending vCenter Logs to Centralized Syslog Server using NXlog

Intro

In my previous article called “Centralized syslog server for vSphere environment with CentOS 7 and rsyslog” I showed one of the ways how you can configure centralized Syslog server for vSphere environment. But in that article I covered only ESXi part. In this article I will describe how to send logs from your vCenter Server installed on Windows to the same Syslog server.

Now, monitoring logs files and sending their input to centralized location is not something complicated. There are lots of ways to do that. For example, you can find an article on William Lam’s blog, where he describes how you can do that using Cygwin + Syslog-ng. You can even use Windows implementations of Rsyslog and Syslog-NG (unfortunately those two are paid).

In my solution I decided to use NXlog Community Edition for Windows. It is free and very easy to configure.

After you install NXlog, is creates a Windows service, and all configuration is done in one config file.

In my lab I have is Windows 2008 R2 System with VMware vCenter Server 5.1. It actually doesn’t matter what version of vCenter you have. Solution is applicable to any version. You can even forward Windows system events with NXlog, if you will want to.

First of all you need to download the Windows installer of NXlog from this link. Next you install it on vCenter server, and then the fun part starts.

Default NXlog config

By default the config file for NXlog is located in C:\Program Files (x86)\nxlog\conf  folder and config file name is nxlog.conf.

Here is the default content of that file.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Input in>
    Module      im_msvistalog
# For windows 2003 and earlier use the following:
#   Module      im_mseventlog
</Input>

<Output out>
    Module      om_tcp
    Host        192.168.1.1
    Port        514
</Output>

<Route 1>
    Path        in => out
</Route>

There are several configuration changes which we will need to do. First of all we will enable the syslog Module for NXlog, then add new Inputs for NXlog, next we will configure the Output by giving details of our centralized syslog collector, and in the end we will configure the Routs for outputs.

Lets do that.

Enabling Syslog Module for NXlog

To enable Syslog module for NXlog add the following block to your config

<Extension syslog>
 Module xm_syslog
</Extension>

Configuring Inputs

Next, you need to configure Inputs for logs. This basically means that you need to configure which Log files should be monitored by NXlog. To find location of vCenter sevrer log files check VMware KB 1021804. In my case logs are located in “C:\ProgramData\VMware\VMware VirtualCenter\Logs\“.

Lets use vpxd.log as an example for the config. Here is how it should look like

<Input VPXD>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-[0-9]*.log"
SavePos TRUE
# The message will contain the name of the source log file and the RAW message. This is useful for future parsing. Space is important after mentioning it.
Exec $Message = 'vpxd ' + $raw_event;
</Input>

Lets review each line one by one.

1. <Input VPXD>

With this line you are naming your Input stream. As we are monitoring vpxd.log file, we named the Input VPXD. It is up to you how you will name it. This naming is important, because you will be using them to configure Outputs.

2. File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-[0-9]*.log"

This line shows full path for the log file which need to be monitored. Wildcards are supported for the case when several files need to be monitored.

3. SavePos TRUE

This directive  specifies whether the file position should be saved when NXlog exits. The file position will be read from the cache file upon startup.

4. Exec $Message = 'vpxd ' + $raw_event;

This directive shows how you log entry will look on Output. In our example, we will be adding name of the log file to the beginning of the line. This should simplify log parsing in future.

5.  </Input>

This line just closes the Input block.

You can add as many input directives as you want, by creating Input blocks.

Configuring Outputs

Once you are done with inputs, you should configure your Output directive. Here is how it should look.

<Output out>
    Module      om_tcp
    Host        IP_OF_YOUR_SYSLOG_SERVER
    Port        514
    Exec	to_syslog_bsd();
</Output>

It is quite straight forward so i will not describe it line by line. Important lines here are

Module      om_tcp

and

Exec to_syslog_bsd();

First one tells what we will use TCP to connect to our centralized Syslog, and second one specifies that we will be using standard syslog format for output messages.

Configuring Output Routes

Last thing to configure is Output routes. to do that create the following block.

Here is an example

<Route 1>
	Path        VPXD => out
</Route>

This directive says that everything what is coming from Input source VPXD should be sent to Output source out. Basically all lines from vpxd.log will be forwarded to our Centralized Syslog server.

Config File Example

Here is an example of NXlog config file from my lab. Pay attention, that, it is not covering all the log files generated by vCenter Server and it’s services. In production environment you will definitely need to review it.

## This is a sample configuration file. See the nxlog reference manual about the
## configuration options. It should be installed locally and is also available
## online at http://nxlog.org/nxlog-docs/en/nxlog-reference-manual.html

## Please set the ROOT to the folder your nxlog was installed into,
## otherwise it will not start.

#define ROOT C:\Program Files\nxlog
define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

<Extension syslog>
 Module xm_syslog
</Extension>

<Input VPXD>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-[0-9]*.log"
SavePos TRUE
Exec $Message = 'vpxd ' + $raw_event;
</Input>

<Input VPXDALERT>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-alert-[0-9]*.log"
SavePos TRUE
Exec $Message = 'vpxd-alert ' + $raw_event;
</Input>

<Input VPXDPROFILER>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-profiler-[0-9]*.log"
SavePos TRUE
Exec $Message = 'vpxd-profiler ' + $raw_event;
</Input>

<Output out>
    Module      om_tcp
    Host        10.12.14.22
    Port        514
    Exec	to_syslog_bsd();
</Output>

<Route 1>
	Path        VPXD,VPXDALERT,VPXDPROFILER => out
</Route>

That’s it, restart your NXlog service, and you should see the messages coming to your Centralizes Syslog server.

The following two tabs change content below.

• Bio
• Latest Posts

Aram Avetisyan

Aram Avetisyan is an IT specialist with more than 18 years experience. He has rich background in various IT related fields like Cloud, Virtualization and SDN. He holds several industry level certifications including but not limited to VCIX-DCV, VCIX-NV. He is also a vEXPERT in years 2014-2021.

Latest posts by Aram Avetisyan (see all)

• Make Youtube Videos About Technology? Why not… The Cross-Cloud Guy - October 7, 2021
• Automating (NSX-T) REST API using Ansible URI module - December 29, 2020
• Quick Reference: Create Security Policy with Firewall Rules using NSX-T Policy API - May 4, 2020