vSphere Configuration Profiles (VCP) reports configuration drift for syslog settings after enabling DFW in vSphere 9.1.x
search cancel

vSphere Configuration Profiles (VCP) reports configuration drift for syslog settings after enabling DFW in vSphere 9.1.x

book

Article ID: 433397

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

In vSphere 9.1.x environments managed by vSphere Configuration Profiles (VCP), administrators may observe an unexpected configuration drift after enabling Distributed Firewall (DFW) on ESXi hosts (specifically when DfwOnDvpg is enabled).

The VCP compliance engine flags a discrepancy in the following path: /profile/esx/syslog/global_settings/remote_host_max_msg_len

While the host remains functional, the cluster status will remain "Non-Compliant" until the drift is acknowledged and absorbed into the desired state.

Environment

This issue is observed in environments meeting the following criteria:

  • vCenter Server: Version 9.1.x

  • ESXi Hosts: Version 9.1.x

  • Management Framework: Clusters managed via vSphere Configuration Profiles (VCP).

  • Feature Enablement: Distributed Firewall (DFW) is enabled at the Distributed Virtual Port Group (DVPG) level (DfwOnDvpg).

Cause

Following the enablement of Distributed Firewall (DFW) in vSphere 9.1.x and the subsequent remediation of hosts to the desired image, a compliance check (Configure → Configuration → Compliance → Check Compliance) may report a drift for the following parameter: /profile/esx/syslog/global_settings/remote_host_max_msg_len

Reason for Drift Detection

When DFW feature is enabled, the underlying system requires the syslog message length to be adjusted (typically to 4096). During the first compliance check post-enablement, the VCP engine identifies that the current value on the ESXi hosts does not match the cluster’s current 9.1.x global Desired State

After enabling Distributed Firewall (DFW) through vSphere Configuration Profiles (VCP):


After performing compliance check (Configure → Configuration → Compliance → Check Compliance):


Resolution

To resolve the reported configuration drifts, the administrator must synchronize the cluster's desired configuration with the current settings of the remediated hosts. This process "absorbs" the host-level settings into the cluster-wide profile, ensuring consistency across the environment.

Note: For clusters where DFW is enabled, the recommended and expected value for remote_host_max_msg_len is 4096. Ensure this value is present on the reference host before proceeding with the import.

Steps to Remediate Configuration Drift

Follow these steps to synchronize the host's actual settings with the cluster's desired state:

1. Locate the VCP Cluster

Select the affected vSphere Configuration Profiles (VCP) cluster from the vCenter inventory.

2. Initiate the Configuration Draft

Navigate to the Configure tab → Desired State → Configuration. Click on the Edit button to initialize a new configuration draft.

3. Import Settings from the Reference Host

Under the Draft tab, select the Import from Host option.

  • Action: Select a host that currently has the correct settings as your reference.

  • Result: This action pulls the configuration from the reference host and populates it into the current draft, including the required syslog parameters.

4. Verify and Commit the Draft

Before finalizing, ensure the values are correct:

  • Verify: Within the draft, locate the parameter path: /profile/esx/syslog/global_settings/remote_host_max_msg_len.

  • Confirm: Ensure the value is set to 4096.

  • Commit: Click Save and then select Commit (or Apply Changes) to promote this draft to the active "Desired State."

5. Final Compliance Validation

Return to the Compliance tab and click Check Compliance.

  • The VCP engine will re-scan the hosts against the updated profile.

  • The drift alerts should disappear, and the cluster status should update to Compliant.

1. Identify the Target Cluster

Select the affected VCP-enabled cluster from the vCenter inventory.

 

2. Select a Reference Host and Create a Draft

Within the Configure tab, navigate to Desired State → ConfigurationSelect the option #2 only deviating settings from other hostsReference host settings become common settings for the cluster. Deviating settings from other hosts in the cluster are added as overrides. 

Note: A new draft will be generated using settings from the cluster hosts. You may manually modify the draft at this stage to ensure remote_host_max_msg_len is set to 4096.

3. Review Proposed Changes

Navigate to Configure → Desired State → Configuration → Draft → Show Changes. Use this view to compare the newly imported draft against the cluster's current Desired Configuration. This ensures only the intended syslog changes are being absorbed.

4. Apply and Commit the New Configuration

Select Apply Changes (or Commit) to save the draft as the new cluster-wide Desired Configuration.

Note: This action will trigger an automatic Remediation operation across the cluster to align all hosts with the new profile.

5. Verify Cluster Compliance

Once the "Apply" task completes, a Check Compliance operation is triggered automatically. The hosts should now report a status of Compliant, and the syslog drift alerts should be cleared.

Powered by Wolken Software