Syslog Server is unable to fetch the logs from Vcenter Server
search cancel

Syslog Server is unable to fetch the logs from Vcenter Server

book

Article ID: 403575

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The configured syslog server is not receiving logs from a vCenter Server Appliance (VCSA), and the syslog server status on the vCenter VAMI page (e.g., https://<Vcenter IP>:5480) shows as 'unknown'

Environment

VMware vCenter server 7.x 

VMware vCenter server 8.x

Cause

Inability of the syslog server to receive logs from vCenter Server, coupled with an 'unknown' status in VAMI, indicates a network or firewall-related connectivity issue between the vCenter Server and the syslog server.

Potential causes include:

Network Reachability: The vCenter Server cannot establish basic network communication (e.g., ping) with the syslog server due to routing, switching, or network segmentation.

Port Connectivity: Required syslog ports (commonly UDP 514 for standard syslog, or TCP 6514 for syslog over TLS/SSL) are blocked by a firewall or are not listening on the syslog server

Resolution

Resolve the syslog connectivity issue by performing the following steps:

Step 1: Verify Basic Network Connectivity (Ping)
From the vCenter Server Appliance (VCSA) SSH session, ping the syslog server to confirm basic network reachability.

    ping <syslog_server_IP_or_hostname>

  • If ping fails: A fundamental network reachability problem exists. Perform a traceroute to identify the packet drop location.

    traceroute <syslog_server_IP_or_hostname>

    Analyze the traceroute output. If incomplete hops or packet loss occur before reaching the syslog server, engage the network team to investigate potential routing, switching, or network firewall issues.

  • If ping succeeds: Basic network reachability is confirmed. Proceed to Step 2 to verify port-level connectivity.

Step 2: Verify Port Connectivity (netcat)

If basic ping connectivity is successful, check if the vCenter Server can establish a connection to the required syslog port on the syslog server. The specific port depends on your syslog configuration (e.g., UDP 514, TCP 6514). From the vCenter Server Appliance (VCSA) SSH session, use the nc (netcat) utility:

  • For TCP Port (e.g., 6514 for Syslog over TLS):

    bash nc -zv <syslog_server_IP_or_hostname> <TCP_Port>

  • For UDP Port (e.g., 514 for standard Syslog):

  • nc -zuv <syslog_server_IP_or_hostname> <UDP_Port>

  • If the nc command fails (e.g., "Connection refused" or "timeout"): The specified port is either blocked by a firewall or not listening on the syslog server.

    1. Engage Network Team: Engage the network team to check network firewalls between the vCenter Server and the syslog server. Ensure required syslog ports are open for outbound traffic from vCenter and inbound traffic to the syslog server.
    2. Verify Syslog Server Configuration: Confirm that the syslog server is operational and correctly configured to listen for incoming syslog messages on the expected IP address and port.

Step 3: Review vCenter Syslog Configuration
After resolving any identified network or firewall connectivity issues, verify the syslog configuration within the vCenter VAMI (https://<vcenter_ip>:5480) under the Syslog section. Ensure the correct syslog server IP address or hostname, protocol (UDP/TCP), and port are accurately configured.

Additional Information

  • Ensure the syslog server is operational, has sufficient disk space, and is configured to receive logs on the specified port.
  • If a hostname is used for the syslog server, verify proper DNS resolution from the vCenter Server Appliance.
Powered by Wolken Software