Vmware Vsphere

LogZilla App Store application: Vmware Vsphere

Overview

VMware vSphere is a virtualization and cloud computing platform that enables organizations to create, run, and manage virtual machines (VMs) and cloud-based services. It provides a complete virtualization infrastructure, including virtualized computing, networking, storage, and security resources.

vSphere enables multiple operating systems and applications to run on a single physical server or cluster of servers, allowing organizations to consolidate IT infrastructure and reduce hardware costs. Key features include High Availability (HA), Distributed Resource Scheduler (DRS), and Fault Tolerance (FT) for increased reliability and availability of virtualized applications.

App Function

  • Parse VMware vSphere syslog messages from ESXi, vCenter, and vSAN
  • Extract user from RFC 5424 structured data for audit trails
  • Classify events by type (auth, ha, storage, system)
  • Identify ESXi problems from vobd daemon
  • Track HA cluster state changes
  • Provide dashboards for infrastructure monitoring

Vendor Documentation

Device Configuration

VMware events require a dedicated syslog port in LogZilla to enable RFC 5424 structured data parsing. The dedicated port tags incoming events with a source_type that routes them to the VMware parsing rule. Configure LogZilla first, then configure the VMware devices.

LogZilla Configuration

  1. Navigate to Settings > System > Application Ports
  2. Set VMware syslog port to a dedicated port (e.g., 5522)
  3. Click Save

The syslog and parser services reload automatically. Both TCP and UDP listeners are enabled on the configured port.

ESXi Host Configuration

Configure each ESXi host to send syslog via TCP using RFC 5424 format:

  1. Log into the ESXi host via SSH or console
  2. Configure syslog destination with TCP and RFC 5424 formatter:
bash
esxcli system syslog config set \
  --loghost="tcp://LOGZILLA_IP:1514?formatter=RFC_5424"
esxcli system syslog reload
  1. Verify configuration:
bash
esxcli system syslog config get

The firewall automatically opens for non-default ports. For port 514, enable the syslog ruleset:

bash
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

vCenter Appliance Configuration

Configure vCenter to forward syslog to LogZilla:

  1. Log into the vCenter Appliance Management Interface (VAMI) at https://vcenter:5480
  2. Navigate to Syslog > Configuration
  3. Click Configure and add a new remote syslog destination:
    • Server: LogZilla IP address
    • Port: 1514 (or configured port)
    • Protocol: TCP
  4. Select log levels to forward (recommend: info and above)
  5. Click Save

Verification

Generate test events by logging into vCenter or performing a VM operation, then verify events appear in LogZilla with programs like Hostd, vpxd, or vmkernel.

Parsed Metadata Fields

Tag NameExampleDescription
VendorVMwareVendor identifier
ProductvSphereProduct identifier
Event ClassstorageCross-vendor event classification
VMware ServiceESXiService type: ESXi, vCenter, vSAN
VMware Problemclock.correction.adjtime.syncESXi problem type from vobd
VMware HA StateMasterHA cluster state
UservpxuserUsername from RFC 5424 structured data
SrcIP192.168.1.100Source IP from auth events

Incoming Log Format

VMware vSphere uses RFC 5424 syslog format with structured data:

text
process[pid]: severity process[pid] [Originator@6876 sub=SUBSYSTEM opID=OPID user=USER] message
  • process - VMware daemon name (Hostd, vpxd, vmkernel, Fdm, vobd, etc.)
  • pid - Process ID
  • Originator@6876 - VMware structured data block (SD-ID 6876 is VMware's IANA PEN)
  • sub - Internal subsystem
  • opID - Operation ID for request tracing
  • user - Username performing the operation
  • message - Event description

Supported Programs

ProgramServiceDescription
HostdESXiHost daemon
vmkernelESXiKernel messages
vmkwarningESXiKernel warnings
VpxaESXivCenter agent
vobdESXiObserver daemon (problems)
FdmESXiFault Domain Manager (HA)
vpxdvCentervCenter daemon
vcenter-servervCentervCenter appliance
vsanvSANvSAN services

Event Class Values

The Event Class tag enables cross-vendor dashboards and filtering:

ValueDescription
authAuthentication events (login, logout, password)
haHigh availability and failover events
storageStorage events (VMFS, NFS, iSCSI, SCSI)
networkNetwork events (vMotion, portgroup, vSwitch)
securitySecurity events (alarms, audits)
systemGeneral system events

Dashboards

Two Event Class-aligned dashboards provide focused views for different analyst roles:

DashboardEvent ClassPurpose
VMware vSphere: SecurityauthUser activity, login tracking, source IPs
VMware vSphere: Systemsystem, ha, storageHA state, problems, errors

Triggers

TriggerDescription
VMware: HA State ChangeHA cluster Master/Slave transitions
VMware: Storage ErrorStorage events with severity error or worse
VMware: ESXi Problem Detectedvobd hardware/driver issues
VMware: Kernel Warningvmkwarning kernel-level issues
VMware: Critical System ErrorSeverity 0-2 on any VMware event
VMware: User Login TrackedAuth events with user (audit trail, no notification)
VMware: Privileged User Loginroot or [email protected] access

Log Examples

Hostd Event

text
info hostd[2101836] [Originator@6876 sub=Libs opID=62a3c433 user=vpxuser]
SlowRefresh: path /vmfs/volumes/65aec72d-3e2d2f46-79e2-0025b5320a0f

vmkernel Event

text
cpu39:2097544)StorageDevice: 7059: End path evaluation for device
naa.600a098038314372395d564664487a57

FDM HA Event

text
info fdm[2100462] [Originator@6876 sub=Cluster opID=SWI-10d63af1]
hostId=host-6031 state=Slave master=host-6047 isolated=false

vobd Problem Event

text
[ClockCorrelator] 697517624666us: [esx.problem.clock.correction.adjtime.sync]
system clock synchronized to upstream time servers
Vmware Vsphere | LogZilla Documentation