When attempting to patch vCenter Server, the process fails with the error "Exception occurred in postInstallHook for rsyslog:Patch". This issue may occur in environments where custom syslog forwarding is configured, such as forwarding logs to external systems like Splunk.

- vCenter Server version attempting upgrade
- Custom syslog forwarding configured (e.g., to Splunk)

The patching process encounters difficulties restarting the rsyslog service after applying patches due to custom syslog configurations. This prevents the successful completion of the upgrade.

To resolve this issue, follow these steps:

1. Connect to the vCenter Server using SSH.

2. Create or modify the following file:
   /etc/vmware-syslog/vmware-services-sso-new.conf

3. Add the following content to the file:
   ```
   #sso auth log
   input(type="imfile"
   File="/var/log/audit/sso-events/audit_events.log"
   Tag="sso-audit-events"
   PersistStateInterval="200"
   Severity="info"
   Facility="auth")
   ```

4. Save and close the file.

5. Restart the rsyslog service:
   a. Run the command:
       systemctl restart rsyslog
   b. Verify the service status:
       systemctl status rsyslog

6. If the rsyslog service starts successfully, attempt the vCenter Server patching process again.

- This solution maintains the functionality of rsyslog and log forwarding after the patching process.

For more information on configuring syslog in vCenter Server, refer to:

• Configure Syslog on ESXi Hosts (VMware vSphere 7.0)
• Configuring System Logging
• Configuring ESXi Syslog Services​