• VMware ESXi hosts fail to transmit syslog messages to a remote syslog server (Splunk) over SSL.
• In the location /var/log/.vmsyslogd.err we get the below error:
  

  vmsyslog.loggers.network : ERROR   ] SSL certificate verification failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for ''. (_ssl.<Splunk_IP>c:1006)
  vmsyslog.loggers.network : ERROR   ] failed to establish connection to remote syslog server <Splunk_IP>:6514
  vmsyslog.msgQueue        : ERROR   ] <Splunk_IP>:6514 - lost 2 log messages
  vmsyslog.main            : CRITICAL] reloading (209###21)

• ESXi host confirms the remote server's certificate binds its identity exclusively to the FQDN within the Subject Alternative Name (SAN) extension and Subject Common Name (CN). No IP address SAN is present. We can confirm this using below command:
  

  openssl s_client -connect <Syslog_Server_FQDN>:6514 -showcerts 
  

  Sample output:
  

  CONNECTED(00000003)
  depth=1 DC = com, DC = <Splunk_name> = <Splunk_FQDN>
  verify error:num=2:unable to get issuer certificate
  issuer= CN =<Splunk_FQDN>
  verify return:1
  depth=0
  issuer= DC = com, DC = <Splunk_name>, CN =<Splunk_FQDN>
  verify return:1
  ---
  Certificate chain
   0 s:
     i:DC = com, DC = <Splunk_name>, CN =<Splunk_FQDN>
     a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
     v:NotBefore: MM DDHH:MM:SS GMT; NotAfter: MM DDHH:MM:SS GMT

• Running the below command confirms the Remote Host is configured using an IP address (e.g., ssl://<IP_Address>:6514) instead of a Fully Qualified Domain Name (FQDN).

  esxcli system syslog config get

VMware vSphere ESXi 8.x

This issue occurs due to an identity mismatch between the ESXi host syslog configuration and the remote syslog server's SSL certificate. The ESXi host is configured to connect using an IP address, but the presented certificate only contains and validates the server's FQDN.

Reconfigure the ESXi syslog service to connect using the remote syslog server's FQDN to match the certificate's SAN. Follow the below steps:

1. Open an SSH session to the affected ESXi host as root.
2. Verify the current configuration and confirm the IP address is actively used for the remote host:

   esxcli system syslog config get

3. Update the remote log host configuration to use the FQDN instead of the IP address:

   esxcli system syslog config set --loghost="ssl://<Syslog_Server_FQDN>:6514"

4. Reload the syslog service to apply the configuration change:

   esxcli system syslog reload

5. Verify logs are successfully transmitting by checking the remote syslog server or reviewing the ESXi vmsyslog.log for successful connection states.