How to validate vRealize Log Insight 4.x is receiving syslog events from clients
search cancel

How to validate vRealize Log Insight 4.x is receiving syslog events from clients


Article ID: 324360


Updated On:


VMware Aria Suite


  • vRealize Log Insight is not receiving syslog events as expected from syslog clients.
  • Validation that vRealize Log insight is receiving the syslog events is needed.


VMware vRealize Log Insight 4.x


To validate if vRealize Log Insight is receiving events at a network level we can enable the use of tcpdump by following the below steps
  1. SSH to each node in the vRealize Log Insight Cluster. 
  2. Run the below command on each node.

tcpdump -nAs0 -i eth0 host <syslog_client_IP> and port syslog | grep -i -B1 <searching_event_pattern>

Note: replace <syslog_client_IP> and <searching_event_pattern> with the correct values as needed. You can additionally remove | grep -C10 -i <searching_event_pattern> from the command to ensure we are getting any logs from the source client.

Exampletcpdump -nAs0 -i eth0 host and port syslog | grep -i -B1 vpxa

  1. Watch each node to see if the events come through as expected. You can grep for specific logging level types such as DEBUG, INFO, WARN, or ERROR, or you can grep for text expected in the fields.
  2. If the the expected logs do not show in tcpdump, further review with networking from the syslog client to vRealize Log Insight is needed, or further review with syslog client side configuration (such as logging levels or syslog config) is needed. 


Additional Information

Note: tcpdump is not included in 4.6.x and later releases. To install tcpdump for these versions, please reach out to VMware Support.

Client Side Validation: 


To validate from ESXi if the syslogs are being sent, execute the command via SSH: tcpdump-uw -nAs0 -i <host_VMK_ID> host <Log_Insight_IP> | grep -i <searching_event_pattern>
Note: Replace <host_VMK_ID>, <Log_Insight_IP>, and <searching_event_pattern> with their corresponding values. An example of this command would be: tcpdump-uw -nAs0 -i vmk1 host  | grep -i sshd.