How To Configure syslog over SSL on ESXi.

vSphere 8.0

There are 2 methods which can be followed to perform this.


Method 1: Through ESXI host

1. Prepare the SSL certificate chain of the syslog server in PEM base64 format called syslog_chain.cer. An explanation and model of full chain creation can be found in Broadcom KB article Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate (step8)

Using a browser export the syslog server certificates chain in Base64-encoded format.  You can also run the following command to get the syslog server certificate chain:

• # echo | openssl s_client -connect syslog-server-IP/FQDN:443 -showcerts </dev/null 2>/dev/null |  sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > syslog_chain.cer
  
  

Note:

The syslog_chain.cer should be a complete chain file similar to the order below:

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Intermediate Certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

<alphanumeric certificate characters> <----- Root Certificate

-----END CERTIFICATE-----

2. Place the ESXi system in maintenance mode

3. Display current syslog configuration
    # esxcli system syslog config get

4. Verify valid format of certificate store
    # openssl verify -CAfile /etc/vmware/ssl/castore.pem -verbose /etc/vmware/ssl/castore.pem

5. Backup the certificate store
    # cp -p /etc/vmware/ssl/castore.pem /etc/vmware/ssl/castore.pem.bak

6. Use SCP or an SFTP application to copy the syslog certificate chain to the ESXi system /tmp folder
    # scp root@esxi_fqdn:syslog_chain.cer /tmp/syslog_chain.cer

7. Copy the syslog_chain.cer file, which we got from step 6 that contains syslog server certificates chain, to the /tmp/ directory on each esxi host.

8. Append syslog certificate to the certificate store 
    # cat /tmp/syslog_chain.cer >> /etc/vmware/ssl/castore.pem

Note
8. Re-verify valid format of certificate store
    # openssl verify -CAfile /etc/vmware/ssl/castore.pem -verbose /etc/vmware/ssl/castore.pem

9. Set syslog daemon to check SSL certificates
    # esxcli system syslog config set --check-ssl-certs=true

10. Set the syslog connection via SSL:
    # esxcli system syslog config set --loghost="ssl://"IP_or_FQDN_of_syslog_server":1514

11. Reload syslog configuration options
    # esxcli system syslog reload

12. Display current syslog configuration
    # esxcli system syslog config get

13. Restart services
    # /sbin/services.sh start

14. Test log shipping
    # esxcli system syslog mark --message="Syslog Test Message"



Method 2: Perform the Task via the vCenter Command-Line Interface

1. SSH into the vCenter Server Appliance and enable the shell if necessary.

2. Copy your syslog server issuer certificate files to the appliance (e.g., /tmp/issuer.cer). (If intermediate and root certificates exist, create a chain as described in the relevant article.)

3. Publish the CA to the TRUSTED_ROOTS store (vmdir/VECS) using dir-cli:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/issuer.cer

4. When prompted, enter the SSO admin credentials (e.g., [email protected]). The certificates will be added to vmdir and the VECS TRUSTED_ROOTS store across the entire SSO domain.

5. In the vCenter UI, select the ESXi host, right-click, select Certificates, and then select Refresh CA Certificates.