Architecting a vRealize Log Insight Solution : ESXi Host and Device Syslog Configuration : 3.1 ESXi Host Firewall Configuration
   
3.1 ESXi Host Firewall Configuration
The host firewall must pass traffic to the centralized syslog system, which is not allowed, by default, in ESXi 6.x.
 
To configure an ESXi host to forward its logs to a centralized syslog server, the Syslog.global.LogHost value must be configured in the Advanced Settings panel. The value of this setting represents the remote host to which syslog messages will be forwarded and port on which the remote host will receive syslog messages. This can be configured with the hostname or IP address, followed by the port number, for example: udp://sysloghost.domin.local:514.
 
The transport protocol you choose, UDP by default, depends on a site’s specific design requirements. TCP and SSL are also supported. The syslog server value can be configured with the hostname or IP address. The remote target system must have a syslog collector installed and be correctly configured to receive the forwarded syslog messages before the hosts sending syslog messages are configured. Otherwise, configured settings will not take effect.
Note Considerations for the design of centralized syslog collection systems are detailed in Section 3.4, Remote Syslog Design Considerations,
Hosts can be configured in a number of ways to forward syslog messages to a centralized logging system such as vRealize Log Insight. vRealize Log Insight includes the Configure ESXi tool, which can be used to configure the entire ESXi environment for syslog message handling. Other alternatives include esxcli, VMware vSphere PowerCLI™, vCLI through the vSphere Management Assistant, vSphere Host Profiles, or the manual approach described previously.
Note For more information about configuring hosts for syslog, see Configuring syslog on ESXi 5.x and 6.0 (2003322), at http://kb.vmware.com/kb/2003322.
If the target environment is licensed for vSphere Host Profiles (which is currently available only as an Enterprise Plus feature), the method of aligning all ESXi hosts to use an external syslog server is likely the preferred choice. Using host profiles allows you to standardize the host configuration throughout the vSphere clusters, and they can also be used for other aspects of host configuration and compliance monitoring for a site. vCenter Server reports on any element of configuration that drifts from its configured value.
Other techniques for applying the Syslog.global.LogHost value or modifying the ESXi firewall, such as using scripts or performing a manual alignment, can create risk of configuration drift or incorrect implementation. In addition, hosts provisioned using auto deploy typically do not have sufficient storage to save system logs locally and receive their entire configuration through the host profile and answer file. In those environments, they must be configured to use centralized syslog forwarding and configuration using host profiles as just described.