VMware Syslogs

charles_stemaly · July 23, 2021, 6:12pm

VMware ESXi hosts only can forward logs via TCP:514, UDP:514, and SSL:1514.

I have 2 IDR servers, but 6 (and growing) VMware hosts. There’s no integration (sad face), so how are you guys ingesting syslogs from VMware ESXi hosts?

I can only put an event source on one port, so right now I could have 4… I think I need something in the middle to listen on UDP port 514, say “This is from host 1, so send it to IDRServer1 Port 9001” or “This is from host 2, so send it to IDRServer1 Port 9002”.

Any help appreciated!

david_smith · July 23, 2021, 6:42pm

Hi Charles,

you are right you can only use a port/protocol once per collector. However you can send multiple sources to that one port, the caveat here is that all of those sources will be under the same log in log search.

If this is not desirable you could leverage something like this

Which is feed splitting using syslog-ng

David

charles_stemaly · July 23, 2021, 9:17pm

Frickin sweet! Fist Bump! Thank you so much you made my day!

sdomscheit · August 20, 2021, 10:40pm

We use VMware Log Insight so that you can forward the syslog traffic to IDR through a specified port.