ELK with Vmware

So the first thing to do is enable SSH on the vmware host (and do NTP if you haven’t already)

then get the configs of your esxi server run the below command and your output should be similar

esxcli system syslog config get


Then Set up the remote host with the following command and your output should be similar:

esxcli system syslog config set –loghost=’tcp://$HOSTNAME:$PORTNUMBER’


NoW check to see if your firewall is disabled

~ # nc -v $HOSTNAME $PORT
Connection to $HOSTNAME $PORT port [tcp/*] succeeded

if you get that great! if you don’t then do the following:

esxcli network firewall ruleset set –ruleset-id=syslog –enabled=true
esxcli network firewall refresh

By Default vmware like using the ports UDP port 514, TCP port 514, and 1514. I would recommend using those for you log stash port.

Once you adjust the firewall run the nc -v $HOSTNAME $PORT and it should work!

To remove old logs install curator and set crontab to :

30 0 * * * /usr/bin/curator –host delete –older-than 180
40 0 * * * /usr/bin/curator –host close –older-than 180

and you should be good!

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *