Tuesday, February 9, 2016

ESX Syslog - Loud and Proud

We recently started pumping our ESX syslog data to our centralized syslog server and quickly found out that ESX likes to talk. We noticed our ESX servers were clocking hundreds of millions of logs, a lot of info which we probably don't need. What we found was by default ESX is set to send verbose logs... which is essentially Debug and above.

See the below table for all severity levels and a short description.
This table is borrowed from the Syslog Wikipedia page...

Severity level

0EmergencyemergSystem is unusableThis level should not be used by applications.
1AlertalertShould be corrected immediatelyLoss of the primary ISP connection.
2CriticalcritCritical conditionsA failure in the system's primary application.
3ErrorerrError conditionsAn application has exceeded its file storage limit and attempts to write are failing.
4WarningwarningMay indicate that an error will occur if action is not taken.A non-root file system has only 2GB remaining.
5NoticenoticeEvents that are unusual, but not error conditions.
6InformationalinfoNormal operational messages that require no action.An application has started, paused or ended successfully.
7DebugdebugInformation useful to developers for debugging the application.

To tone this down a bit you can change the level at which ESX sends logs.
For ESX 3.5/4.1 see the following link...

For ESX 5.1 +

Using vSphere click on a host to manage then choose the configuration tab of the host

Under Software | Advanced Settings | Config | HostAgent | log

Decrease the config.HostAgent.log.level to 'panic', 'error', 'warning or 'info' rather than 'verbose.

No comments:

Post a Comment