Central Syslog Host for ESX - Syslog-ng

Someone may have already written all this, but oh well.

  1. Install something free like Ubuntu Server.

  2. I use Ubuntu because I like Debian and apt-get. So run:

#apt-get install syslog-ng

Running Syslog-ng gives you more than the standard syslog daemon.

  1. Configure syslog-ng to recieve udp logs.
root@hoth:/# cd /etc/syslog-ng/ root@hoth:/etc/syslog-ng# vi syslog-ng.conf

side note: learn VI

Add this after the main source section:

source s_remote { udp(); };

After the destinations:

destination df_remote { file("/var/log/remote.$HOST"); };

The $HOST will sort the logs by IP of the server.

And finally add this to the end of the syslog-ng.conf file:

log { source(s_remote); destination(df_remote); };

Now Restart the syslog-ng service

root@hoth:/etc/syslog-ng# service syslog-ng restart
  1. Make changes to the ESX syslog config. Thanks to Tooms.dk I have been using syslog-ng so much I needed to find the commands for standard syslog.
1. In the /etc/syslog.conf file add this line "*.* @172.16.0.202” without the " and change the ip number to your syslog servers ip > > 2. Restart the syslog service with the command "service syslog restart" > > 3. Open the ESX server firewall with this command "esxcfg-firewall -o 514,udp,out,syslog" to allow syslog outgoing trafic > > 4. Tell the ESX firewall to reload the config with this command "esxcfg-firewall -l" > > > >

Now you can tail -r /var/log/remote.10.10.10.2 (or whatever your IP is).

Written on December 18, 2008