ESXi has run a syslog administration (vmsyslogd) that logs messages from the VMkernel and other framework parts to log records. The log destination can be configured from the vSphere Client; select the host and click Configure | Settings | Advanced System Settings. By default, the Syslog.global.logDir parameter is set to /scratch/log.
ESXi can be designed to store log documents on an in-memory filesystem. This happens when the host's /scratch registry is connected to tmp/scratch. When this is done, just a solitary day of logs is put away at once. For more information on ESXi partitions.
You can also set a Syslog Server, both with the GUI (under the advanced settings) or with the CLI, for example, from ESXi Shell:
esxcli system syslog config set –loghost tcp://SYSLOG_IP:514
esxcli system syslog reload
You can use more Syslog Servers using a comma, or also use SSL connections instead of plain TCP (or UDP); in this case, you must use the syntax ssl://SYSLOG_SERVER:1514.
For more information, see KB 2003322: Configuring syslog on ESXi at https://kb.vmware.com/kb/2003322.
You can use an external third-party Syslog Server or the following VMware solutions:
- VMware Syslog Collector: Included in vCenter Server. It supports TLS protocol versions 1.0, 1.1, and 1.2. However, it does not have a simple way to analyze logs.
- VMware vRealize Log Insight server: A dedicated product also used to correlate different logs and get to the root cause of issues more quickly and efficiently.