When configuring syslog traffic from HCX Manager to vRealize Log Insight (vRLI), it may be necessary to confirm that traffic is successfully sent and received. This article provides a step-by-step guide for troubleshooting and verifying syslog communication between HCX Manager and vRLI.

VMware HCX

VMware vRealize Log Insight

When vRLI is not collecting syslog data from HCX as expected, the issue can result from:

• Incorrect syslog configuration on HCX Manager
• Network connectivity issues or firewall blocks
• Misconfiguration on the vRLI server
• Port 514 (default syslog port) not being properly open

Follow these steps to verify syslog traffic between HCX Manager and vRLI:

Step 1: Verify Syslog Configuration in HCX Manager

1. Log in to the HCX Manager user interface
2. Navigate to Administration > System > Syslog
3. Confirm the vRLI server IP address is correctly configured
4. Verify that the correct port (typically 514) is specified
5. Ensure the syslog service is enabled

For detailed instructions on configuring remote syslog server in HCX Manager, refer to: Adding a Remote Syslog Server

Step 2: Verify Syslog Traffic from HCX Manager

If no logs are visible in the vRLI UI, perform a packet capture from inside the HCX Manager:

1. Access the HCX Manager command line with root privileges
2. Execute the following command to capture syslog packets:
    

   tcpdump -i eth0 port 514

3. Monitor the output to confirm traffic is being sent to the vRLI server IP address

For instructions on accessing the HCX Manager shell, refer to: Logging in to the HCX Manager Shell

Step 3: Verify Syslog Traffic is Received by vRLI Host

Perform a packet capture on the destination ESXi host where the vRLI appliance is running:

1. Access the ESXi host command line
2. Find the switchport for the vRLI VM:
    

   net-stats -l

3. Using the switchport value from the previous command, run:
    

   pktcap-uw --switchport <switchport> --capture VnicTx,VnicRx --ip <HCX Manager IP> -o - | tcpdump-uw -enr -

4. Monitor for traffic coming from the HCX Manager IP address to port 514

For additional details on packet capture in ESXi, refer to: Packet capture on ESXi using the pktcap-uw tool

Step 4: Troubleshoot Network Path

If the packet capture confirms that syslog traffic is not being received:

1. Verify there are no firewalls blocking port 514 between HCX Manager and vRLI
2. Check for any routing issues between the two systems
3. Confirm both systems can communicate using a basic ping test
4. Verify vRLI is correctly configured to receive syslog data

If the error persists after following these steps, contact Broadcom Support for further assistance.

For additional support, please open a case with Broadcom Support and reference this KB article. For more details, refer to Creating and managing Broadcom support cases.