As previously discussed, each ESXi host generates a large number of component logs. In an average day, with default logging settings, each ESXi host generates approximately 250 MB of data. Even with a relatively small number of hosts, querying and correlating this log data when troubleshooting a problem can quickly become very difficult. If you are tasked with maintaining hundreds or even thousands of ESXi hosts and other data center devices, managing logs locally and taking advantage of the information in the logs, that job can become nearly impossible. However, VMware provides a relatively straightforward solution to this problem, using a centralized syslog service.

Using a centralized syslog service, each ESXi host runs a local syslog daemon called vmsyslogd, which provides a standard mechanism for logging messages from VMkernel and other system components, and directing them to a centralized syslog target. By default, ESXi logs are stored on a local scratch volume, or in RAM disk, depending on the hosts installation device and configuration. To preserve the logs in a centralized location, the ESXi hosts and other devices must be configured to send their logs across the network, directly to a central syslog server. Alternatively, the logs must be directed to a syslog aggregation server, which in turn forwards the syslog messages to the central syslog location.