So the first thing to do is enable SSH on the vmware host (and do NTP if you haven’t already)
then get the configs of your esxi server run the below command and your output should be similar
esxcli system syslog config get
Then Set up the remote host with the following command and your output should be similar:
esxcli system syslog config set –loghost=’tcp://$HOSTNAME:$PORTNUMBER’
NoW check to see if your firewall is disabled
~ # nc -v $HOSTNAME $PORT
Connection to $HOSTNAME $PORT port [tcp/*] succeeded
if you get that great! if you don’t then do the following:
esxcli network firewall ruleset set –ruleset-id=syslog –enabled=true
esxcli network firewall refresh
By Default vmware like using the ports UDP port 514, TCP port 514, and 1514. I would recommend using those for you log stash port.
Once you adjust the firewall run the nc -v $HOSTNAME $PORT and it should work!
To remove old logs install curator and set crontab to :
30 0 * * * /usr/bin/curator –host 127.0.0.1 delete –older-than 180
40 0 * * * /usr/bin/curator –host 127.0.0.1 close –older-than 180
and you should be good!