All ESXi hosts run a syslog service (vmsyslogd), that logs messages from the VMkernel and other system components to log files. The log destination can be configured from the vSphere Client; select the host and click Configure | Settings | Advanced System Settings. By default, the Syslog.global.logDir parameter is set to [] /scratch/log.

ESXi can be configured to store log files on an in-memory filesystem.  This occurs when the host's /scratch directory is linked to /tmp/scratch. When this is done, only a single day's worth of logs is stored at a time. For more information on ESXi partitions, see Chapter 5, Configuring and Managing vSphere 6.5.

You can also set a syslog server, both with the GUI (under the advanced settings) or with the CLI, for example, from ESXi Shell:

esxcli system syslog config set –loghost tcp://SYSLOG_SERVER:514
esxcli system syslog reload

You can use more syslog servers, using a comma, or also use SSL connections instead of clear TCP (or UDP); in this case, you must use the syntax ssl://SYSLOG_SERVER:1514.

For more information, see KB 2003322—Configuring syslog on ESXi at https://kb.vmware.com/kb/2003322.

You can use an external third-party syslog server or the following VMware solutions:

• VMware Syslog Collector, included in vCenter Server. It supports TLS protocol versions 1.0, 1.1, and 1.2. But it does not have a simple way to analyze the log.
• VMware vRealize Log Insight server, a dedicated product also used to correlate different logs and get to the root cause of issues more quickly and efficiently.

vRealize Log Insight 3.3.2 and above, will accept the vCenter Server Standard 6.x or 5.x license key and provide 25 OSI pack (syslog sources).

For more information on Log Insight, see the VMware KB 2144909—FAQ: Log Insight for vCenter Server at http://kb.vmware.com/kb/2144909.