VMware recommends that you configure logging to an external syslog service from all hardware, including ESXi hosts, physical servers, and network components, because the centralization of logs increases administration and security investigation capabilities. By configuring hosts to use a central logging server, aggregate analysis and searches become possible, providing visibility into events that affect multiple hosts.

VMware vRealize Log Insight™ provides a much more comprehensive solution for syslog than the VMware vSphere Syslog Collector or VMware vSphere Management Assistant. vRealize Log Insight gives administrators the ability to consolidate logs, monitor, and troubleshoot vSphere, and perform security auditing and compliance testing. This scalable virtual appliance includes a syslog server, log consolidation tool, and a log analysis tool that works for any type of device that can send syslog data. vRealize Log Insight administrators can also create custom dashboards based on saved queries, which can then be exported, shared, and integrated into VMware vRealize Operations Manager™.

In a multisite architecture, every device for which you would like to collect events is typically configured to send events to a syslog aggregator, and the syslog aggregator is configured to forward events to one or more vRealize Log Insight instances. For more information on designing a single or multisite syslog architecture, refer to the VMware vCloud Architecture Toolkit™ for Service Providers VMware vRealize Log Insight Architecture for Service Providers document.