vSphere 6.x includes fine-grained control over system logs, the location where logs are sent, and for each log, their default size, rotation policy, and logging levels. In a typical vRealize Log Insight deployment, the amount of local syslog data center traffic will not normally cause any issues and need not be throttled (although throttling might be desirable for other reasons such as consistency and efficiency). If you have remote sites with slower links, possibly in geographically dispersed locations, you might need to throttle log data at the source to reduce the amount of syslog traffic traversing the WAN connections.

The amount of information captured in the log files varies, depending on the level setting. When a log level is configured, only messages with that assigned log level and above are captured in the log files. For example, if the log level is set to Info, log messages will include Info, Warning, and Error level messages only. The following table shows log levels that are available in vSphere.

 

By default, host logging levels vary from service to service. For example, vpxa and the Host Agent are configured to log data at the Verbose level by default, while the hostd service has a default log-level setting of Info.

 

hostd logs are controlled by a setting in the config.xml file, located in the /etc/vmware/hostd subdirectory of an ESXi system.

 

The logging level to choose for a design depends on the specific service provider requirements and whether vRealize Log Insight is intended to be used proactively or reactively.

If the syslog data is to be employed only reactively when a problem is detected, configuring the logging level to Warning might be sufficient. However, if you configure only the Error or Warning level, it might be too late to prevent a problem from occurring, and you might not be able to find the root cause of a problem without Info level log information.

If the provider’s intention is to use the syslog data proactively, Info level logging is more appropriate as a way to gather lower level information, before a problem arises. It is also possible for messages to be logged at the wrong level, for example, error messages being logged as Info and informational logs being marked as Error. It is also possible that Error and Warning messages might be generated so infrequently that you do not know if logging is working properly.

Another aspect to consider for a remote syslog design is the bandwidth available between source and syslog target. When services are logged at the verbose level, a significant amount of data is typically directed to the syslog server. There could be as many as 5000 to 10,000 logs in each 5-minute period, depending on the size of the environment.

By switching the hostagent and vpx levels from verbose to warning, you might see a reduction of
approximately 10 to 15 log messages for the same 5-minute time period. When a design is constrained by limited bandwidth between sites, this drop in log volume could provide a significant savings and have an even larger impact for traffic on the wide area network.

The following services can be easily modified to throttle remote logging on an ESXi 6.x host.

 

You can use the Advanced Settings panel in the vSphere Web Client, as shown in the following figure, to modify individual log-level settings.

 

You can also use vSphere PowerCLI with the Set-AdvancedSetting cmdlet or host profiles to model log-level settings.

While it is possible to modify the logging levels of other components and services to further throttle syslog messages in remote architectures, changing the default configuration of the following files is not supported. Modify the following component levels only if directed by VMware to do so.

 

For more information relating to modifying ESXi component logging levels, see Increasing VMware vCenter Server and VMware ESX/ESXi logging levels (1004795) at http://kb.vmware.com/kb/1004795.

For more information on Enabling trivia logging in VMware vCenter Server (1001584) at http://kb.vmware.com/kb/1001584.