ESXi hosts may experience intermittent message loss when configured to send logs to an external load balancer. This issue is typically identified by critical alerts in the vmkernel logs and vmkwarning.log files.

Symptoms:

• The following alert appears frequently: 2026-01-13T08:23:25.268Z Al(177) vmkalert: cpu0:2097837)ALERT: vmsyslog logger <target>:514 lost [X] log messages

• Total log volume appears doubled compared to expected traffic.

• Email warnings about excessive ingestion into the Aria Operations for Logs system may be reported.

Aria Operations for Logs 8.x

VMware ESXi 8.x

The cause is the Aria Operations for Logs Auto-Configuration feature.

When using an external load balancer rather than the integrated load balancer, the Aria Operations for Logs integration logic does not recognize the external VIP as its own. Consequently, the Auto-Config task periodically appends the FQDN of the TARGET from Aria Operations integration to the ESX Syslog.global.logHost property. This results in "Double Syslog Logging," where the ESXi host sends every log message twice—once to the VIP and once to a TARGET node—exhausting the vmsyslogd process resources.

To resolve this issue, you must disable the automated configuration and manually clean up the host syslog targets.

### Step 1: Disable Auto-Configuration in Aria Operations for Logs

1. Log in to the Aria Operations for Logs web UI.
2. Navigate to Integration > vSphere.
3. Locate the relevant vCenter server and click the  Elipses > edit.
4. In the ESXi host configuration section, click View Details.
5. Uncheck the box: Automatically Configure ESXi hosts to send logs to Aria Operations for Logs.
6. Save the changes.

### Step 2: Correct Host Syslog Targets

On each affected ESXi host (via the vSphere Client, PowerCLI, or Host Profiles):

1. Navigate to Configure > System > Advanced System Settings.
2. Locate the Syslog.global.logHost property.
3. Remove the individual node FQDN.
4. Ensure only the intended Load Balancer VIP is present (e.g., udp://<f5-vip-fqdn>:514).
5. Ensure there are no trailing commas or duplicate entries.

### Step 3: Restart the Syslog Service

Restart the syslog daemon on the ESXi hosts to apply the changes via CLI:

/etc/init.d/vmsyslogd restart

For a comprehensive list of syslog drop scenarios on ESXi 8.x, see Troubleshooting "vmsyslog logger lost #### log messages" on ESXi hosts

This issue specifically occurs because the Auto-Config logic is "additive." If the service does not see a match for its own managed target for the integration, it will append a node address. If you require the use of an external load balancer, Auto-Configuration must remain disabled to prevent configuration drift. 

Note:  As Aria Operations for Logs does not provide an option to specify an external load balancer, you will need to configure your vCenter integrations with the 'target' address of your primary node while leaving your ESX hosts configured for VIP distribution to nodes.