Users with a Read-Only role in vCenter are unable to generate ESXi logs from vCenter and encounter an "Access Denied" error.

While vCenter logs can be generated successfully, attempts to collect ESXi host support bundles fail due to insufficient privileges.

VMware vCenter Server
ESXi

The default Read-Only role in vCenter lacks the necessary privileges to collect ESXi host support bundles.

This limitation prevents users from generating ESXi logs through vCenter.

To enable a read-only account to generate ESXi logs via vCenter, assign the following minimum privileges:

Global → Diagnostics

Host → Configuration → System Management

You can either:

Create a custom role with the above privileges and assign it to the read-only account.

Use an account with Administrator privileges to perform the log collection.

As an alternative, ESXi logs can be generated directly from the ESXi host using:

Direct Console User Interface (DCUI)

Secure Shell (SSH)

These methods bypass vCenter and allow direct access to host-level diagnostics.