Syslog forwarding using Aria Operations Cloud Proxy for Log Forwarding is not working
search cancel

Syslog forwarding using Aria Operations Cloud Proxy for Log Forwarding is not working

book

Article ID: 404702

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • You have Aria Operations for Logs 8.18.x deployed and integrated with Aria Operations 8.18.x
  • vSphere integration in Aria Operations for Logs for other Host (s) and VC(s) is working as expected
  • You need to use the Log Forwarding capabilities of the Cloud Proxy due to network restrictions between Aria Operations for Logs and the ESXi Host
  • Searching within Aria Operations for Logs, you are not seeing any logs from the host or cloud proxy by their hostname or IP address 
  • There are no external firewalls and all devices are on a single /24 network
  • The cloud proxy has been deployed successfully from the Cloud Proxies page in Aria Operations and it is showing as 'Activated' for Log Forwarding
  • On the cloud proxy, confirmed that vcf-log-forwarder is up and the required ports are listening but it is not receiving anything
  • Running the command below on the cloud proxy, all the checks come back fine with no errors.

    cprc-cli -v -d all

  • The ESXi Host is configured for tcp://<cloudProxyIP>:514 and the syslog config is reloaded
  • Testing the syslog ports from a remote system fails
  • Testing the API endpoint from the container works and the message appears in Aria Operations for Logs.

    docker exec -it vcf-log-forwarder sh -c "curl -k -X POST -H 'Content-Type: application-json' -d '[{\"text\": 123456789}]' https://host.docker.internal:443/vrli/api/v2/events"
    {"status":"ok","message":"events ingested","ingested":1}

  • Sending a syslog message from the cloud proxy to the local syslog port results in successful ingestion to Aria Operations for Logs.

    logger --server <cloudProxyIP> --port 514 --tcp "test message"

 

Environment

Aria Operations 8.18.x

Aria Operations for Logs 8.18.x

Cause

  • The ESXi syslog firewall rule for ports 514 and 1514 is not configured from the host client

    • The bottom of KB Configuring syslog on ESXi states:

      "When configuring remote hosts with the standard ports, you still need to enable the syslog firewall ruleset.

    • When checking /var/log/.vmsyslogd.err on the ESXi host, you may see errors similar to:

      2025-07-09T00:16:05.331Z vmsyslog.main            : CRITICAL] reloading (2098508)
      2025-07-09T00:16:10.371Z vmsyslog.loggers.network : ERROR   ] <cloudProxyIP>:514 - socket init calls failed: <class 'OSError'>
      2025-07-09T00:16:10.372Z vmsyslog.loggers.network : ERROR   ] failed to establish connection to remote syslog server <cloudProxyIP>:514

  • The Cloud Proxy is missing iptables rules that are configured automatically during installation

    • Login as root to the Cloud Proxy and run the command:

      iptables -nL

    • If there are no Chain DOCKER rules or other rules, there may have been an issue with the Cloud Proxy installation or upgrade.

      NOTE: The auto upgrade process from Aria Operations issues a reboot of the Cloud Proxy. If there was anything preventing this reboot from completing successfully, the iptables entries may have been removed.

      Example of iptables -nL command showing some of the proper entries:

Resolution

  • Configure the host syslog firewall rule as mentioned in KB -  Cloud Proxy not reporting to Aria for Logs
  • If iptables on the Cloud Proxy is missing Chain DOCKER rules or other firewall rules, try a simple reboot of the Cloud Proxy and check functionality
  • If a reboot of the Cloud Proxy does not resolve the issue of syslog forwarding, try to redeploy a new one ensuring all prerequisites are met

Additional Information

Powered by Wolken Software