{
	"id": "675e56ef-cffd-4ee0-97ad-1f326cb6a164",
	"created_at": "2026-04-06T00:22:12.846403Z",
	"updated_at": "2026-04-10T13:13:06.119223Z",
	"deleted_at": null,
	"sha1_hash": "1ae708a64370c5e8d9415e8b9647535f993e1c2c",
	"title": "Configuring syslog on ESXi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 165126,
	"plain_text": "Configuring syslog on ESXi\r\nArchived: 2026-04-05 20:42:13 UTC\r\nConfiguring syslog on ESXi\r\nbook\r\nArticle ID: 318939\r\ncalendar_today\r\nUpdated On: 02-16-2026\r\nProducts\r\nVMware vSphere ESXi\r\nIssue/Introduction\r\nVMware ESXi hosts run a Syslog service (vmsyslogd) that provides a standard mechanism for logging messages\r\nfrom the VMkernel and other system components. By default in ESXi, these logs are placed on a local scratch\r\nvolume or a ramdisk. To preserve the logs further, ESXi can be configured to place these logs to an alternate\r\nstorage location on disk and to send the logs across the network to a Syslog server.\r\nRetention, rotation, and splitting of logs received and managed by a Syslog server are fully controlled by that\r\nSyslog server. ESXi cannot configure or control log management on a remote Syslog server. Additionally,\r\nforwarding specific log files (e.g. hostd.log or vmkernal.log) to the Syslog server is unsupported. For more\r\ninformation, see the documentation for that specific Syslog server.\r\nEnvironment\r\nVMware vSphere ESXi 7.x \r\nVMware vSphere ESXi 8.x\r\nVMware vSphere ESX 9.x\r\nResolution\r\nTable of Contents\r\nConfiguring Local and Remote Logging using the esxcli command\r\nConfiguring Local and Remote logging using Host Profiles\r\nConfiguring Local and Remote logging using Host Profiles using vSphere Web Client\r\nhttps://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html\r\nPage 1 of 5\n\nConfiguring Local and Remote Logging using Advanced Configuration options\r\nThere are five configurable ESXi Advanced Options:\r\nSyslog.global.logDir\r\nThis setting sets the location on a local or remote datastore (VMFS, NFS, FAT) and path where logs\r\nshould be saved to.\r\nHas the format [DatastoreName] DirectoryName which maps to\r\n/vmfs/volumes/ \u003cDatastoreName\u003e/\u003cDirectoryName\u003e/ .\r\nFor ESXi 6.7 and later versions, the log directory must exist before configuring the global logging\r\ndir parameter. If the folder specified as \u003cDirectoryName\u003e does not exist, configuring\r\nSyslog.global.logDir parameter will fail with \" Internal error \" in the UI and \" Logdir must\r\nexist and be a directory \" error message in log file ESXi - /var/run/log/hostd.log.\r\nIf /scratch is defined, the default is []/scratch/log. For more information on scratch, see Creating a\r\npersistent scratch location for ESXi 8.x/7.x/6.x\r\nSyslog.global.logHost -\r\nThis setting is a comma-delimited list of remote servers where logs are sent using the syslog\r\nprotocol.\r\nIf the logHost field is blank, no logs are forwarded.\r\nInclude the protocol and port, similar to:\r\ntcp://hostname:514\r\nudp://hostname:514\r\nssl://hostname:1514 .\r\nSyslog.global.logDirUnique -\r\nThis boolean option setting controls whether a host-specific directory is created within the\r\nconfigured logDir .\r\nThe default value is false .\r\nThe directory name is the hostname of the ESXi host. A unique directory is useful if the same\r\nshared directory is used by multiple ESXi hosts.\r\nSyslog.global.defaultRotate -\r\nThis setting controls the maximum number of log files to keep locally on the ESXi host in the\r\nconfigured logDir.\r\nThe default value is 8.\r\nThis setting does not affect the remote syslog server retention.\r\nSyslog.global.defaultSize\r\nThis setting sets the maximum size, in kilobytes, of each local log file before it is rotated.\r\nThe default value is 1024 KB.\r\nThis setting does not affect the remote syslog server retention.\r\nFor more information on sizing, see ESXi Syslog Options.\r\nNote: To individually set the options for system components such as auth, hostd etc., select the loggers under\r\nsyslog from the vSphere client GUI in Advanced System Settings, and set to desired value (e.g. for hostd,\r\nSyslog.loggers.hostd.rotate and Syslog.loggers.hostd.size ).\r\nhttps://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html\r\nPage 2 of 5\n\nConfiguring Local and Remote Logging using the esxcli command\r\nLocal and remote syslog functionality can be configured for a host using the esxcli command line utility, which\r\ncan be used at the console of an ESXi host, in the vCLI, or in the vMA.\r\n1. Open a ESXi shell console session where the esxcli command is available, such as the vCLI or on the\r\nESXi host directly.\r\n2. Display the existing five configuration options on the host:\r\nesxcli system syslog config get\r\n3. Set new host configuration, specifying options to change:\r\nesxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-uniq\r\nExample\r\nTo configure the remote syslog using TCP on port 514:\r\nesxcli system syslog config set --loghost='tcp://\u003csyslog_server_IPv4\u003e:514'\r\nTo remove the remote syslog:\r\nesxcli system syslog config set --reset=loghost\r\n4. After making configuration changes, load the new configuration:\r\nesxcli system syslog reload\r\n5. Test if the port is reachable from the ESXi host:\r\nnc -z \u003cRemoteHostname\u003e 514\r\nExample\r\nnc -z 10.11.12.13 514\r\nConfiguring Local and Remote logging using Host Profiles\r\nLocal and remote syslog functionality can be configured for a cluster of similar hosts using Host Profiles. For\r\nmore information, see Set Up Syslog from the Host Profiles Interface. \r\nhttps://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html\r\nPage 3 of 5\n\n1. Connect to vCenter Server using the vSphere Client.\r\n2. Click Home.\r\n3. Under the Management section, click Host Profiles.\r\n4. Create a new profile or edit an existing profile.\r\n5. In the Edit Profile dialog, set one or more of the five configuration options.\r\nIf syslog has been configured using esxcli or advanced configuration options and captured this as\r\na reference host, the 5 configuration options are already visible under the Advanced Configuration\r\noption section.\r\nIf syslog has not been previously configured, right-click the Advanced Configuration options\r\nsection and add a profile for each of the five configuration options.\r\n6. Save the profile and assign it to hosts.\r\nConfiguring Local and Remote logging using Host Profiles using vSphere Web\r\nClient\r\n1. Connect to vCenter Server using vSphere Web Client.\r\n2. Click Home.\r\n3. Under Operations and Policies section, click Host Profiles.\r\n4. Create a new profile or edit an existing profile.\r\n5. In the Edit Profile dialog, set one or more of the five configuration options.\r\n6. Save the profile and assign it hosts.\r\nConfiguring Local and Remote Logging using ESXi Advanced Configuration\r\noptions\r\nLocal and remote syslog functionality can be configured for a host using advanced configuration options, which\r\ncan be set using the vSphere Client, vSphere Web Client, PowerCLI, or vCLI.\r\nThis configuration cannot be performed using the local console's esxcfg-advcfg command. For more\r\ninformation on setting advanced configuration options using each method, see Configuring advanced options for\r\nESXi/ESX.\r\nNote:\r\nEditing the advanced config via the UI will auto restart (“reload”) the “syslogd” service.\r\nIf the ESXi host loses communication with the remote syslog server, logging is no longer pushed to the\r\nsyslog server. This can be confirmed by reviewing the ESXi - /var/log/.vmsyslogd.err file and confirming\r\nthe log message \" failed to write log \" error. Nothing is sent to the remote syslog server until the\r\nsyslogd service is restarted. Restart the service using command \" esxcli system syslog reload \".\r\nAdditional Information\r\nConfiguring ESXi Firewall Exception using the esxcli command/syslog port:\r\nhttps://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html\r\nPage 4 of 5\n\nNote: It may be required to manually open the firewall rule set for syslog when redirecting logs. \r\nTo open outbound traffic through the ESXi Firewall on UDP port 514 and TCP ports 514 and 1514:\r\nesxcli network firewall ruleset set --ruleset-id=syslog --enabled=true\r\nesxcli network firewall refresh\r\nTo test if the syslog server is receiving messages from ESXi host:\r\nesxcli system syslog mark --message \"Syslog Test Message\"\r\nWith ESXi 8.0 Update 2b, when configuring syslog remote hosts, or loghosts, with non-standard ports, the\r\nvmsyslogd service automatically creates persistent dynamic firewall rules. It is no longer needed to manually open\r\nthe firewall at ports that are different from the default 514 for TCP/UDP and 1514 for SSL protocols respectively.\r\nWhen configuring remote hosts with the standard ports, it is still required to enable the syslog firewall ruleset.\r\nRefer to VMware ESXi 8.0 Update 2b Release Notes.\r\nExample\r\nesxcli system syslog config set --loghost=tcp://#.#.#.#:12345\r\nesxcli network firewall ruleset rule list | grep dynamic\r\nNote: For versions prior to ESXi 8.0 U2b, if a custom syslog port is needed, the method for opening the port is to\r\nuse a partner-created VIB. See Creating custom firewall rules in VMware ESXi is not supported for more\r\ninformation.\r\nFeedback\r\nWas this article helpful?\r\nthumb_up Yes\r\nthumb_down No\r\nSource: https://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html\r\nhttps://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://knowledge.broadcom.com/external/article/318939/configuring-syslog-on-esxi.html"
	],
	"report_names": [
		"configuring-syslog-on-esxi.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434932,
	"ts_updated_at": 1775826786,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1ae708a64370c5e8d9415e8b9647535f993e1c2c.pdf",
		"text": "https://archive.orkl.eu/1ae708a64370c5e8d9415e8b9647535f993e1c2c.txt",
		"img": "https://archive.orkl.eu/1ae708a64370c5e8d9415e8b9647535f993e1c2c.jpg"
	}
}