By default, in ESXi, logs are stored on a local scratch volume or in RAM disk, depending on the host’s installation device and configuration. To preserve the logs in a centralized location, the ESXi hosts and other devices must be configured to send their logs across the network directly to a central syslog server or alternatively, to a syslog aggregation server, which in turn forwards the syslog messages to the centralized location.

With each ESXi host generating a large number of component logs, on an average day with default logging settings, ~250 MB of data per host, even with a relatively small number of hosts, querying this log data when troubleshooting a problem quickly becomes very difficult, and correlating the information even more so. When, as a service provider, you are maintaining hundreds or even thousands of hosts across multiple geographically dispersed data centers in different regions, effective log management becomes paramount.

VMware recommends logging messages from the VMkernel, and other system components, to a centralized syslog target such as vRealize Log Insight. For more information on designing a multisite vRealize Log Insight infrastructure, refer to the Designing an Enterprise Syslog Infrastructure with VMware vRealize Log Insight white paper at http://www.vmware.com/files/pdf/Designing-an-Enterprise-Syslog-Infrastructure-with-VMware-vRealize-Log-Insight.pdf. This white paper outlines design options for every aspect of a local or distributed syslog design and provides several sample design scenarios.

Previously when an administrator executed an action from vCenter Server against an ESXi server, the administrator’s user name would not be logged in the ESXi logs. The action would be logged as vpxuser. However, in vSphere 6.0, the user name that the administrator is logged into vCenter Server as is now included in the logs of the action that executes against ESXi.

This new functionality provides better forensics and auditing. In vSphere 6.0, all actions, including parent actions taken on vCenter Server and child actions run on ESXi hosts for user CORP\smithj (for instance), can be tracked in vRealize Log Insight and other logging solutions. Matching user names to actions provides accountability, auditing, and forensics and is a key requirement of compliance objectives.