Professional Documents
Culture Documents
ESXi Host Logs
ESXi Host Logs
ESXi records host activity in log files, using a syslog facility. Typically one of the easiest and
fastest ways to check these log files out is using tools like cat on the command line. You can also
view various logs through the DCUI as well. All VMware hosts run a service for logging system
information. This service, vmsyslogd, logs messages from the VMkernel and other system
components for auditing and diagnostic purposes. By default, the logs are directed to a local
scratch location or ramdisk. The scratch space is created automatically during ESXi installation
in the form of a 4 GB Fat16 local scratch partition. If storage space is unavailable, the host will
store data on a ramdisk, which is not persistent across reboots. That being the case, many
admins choose to send these logs to a persistent datastore or remote logging server for retention.
One of the most important things to know is that it’s important to realize where you’re installing
ESXi. If you opt to install it to a USB stick or sdcard, if the host crashes, that can make for a bad
day! This means that you’ll want to pay extra attention and have the logs written to a central
logging location. I’ll highlight some of the most popular logs below and indicate what they do. I
highly recommend having a syslog server of some sort in your environment.
Records activities
VMkernel
2. /var/log/vmkwarning.log related to virtual
warnings
machines
Used to
determine uptime
VMkernel and availability
3. /var/log/vmksummary.log
summary statistics for ESXi
(comma
separated)
Contains
information about
the agent that
ESXi host manages and
4. /var/log/hostd.log
agent log configures
the ESXi host and
its virtual
machines
Contains
information about
the agent that
vCenter agent communicates
5. /var/log/vpxa.log
log with vCenter
Server (if the host
is managed by
vCenter Server)
ESXi Shell as
well as shell
events (for
6. Shell log /var/log/shell.log
example, when
the shell was
enabled)
Contains all
events related to
7. Authentication /var/log/auth.log
authentication for
the local system
Contains all
general log
messages and can
be used for
System
8. /var/log/syslog.log troubleshooting.
messages
This information
was formerly
located in the
messages log file
Contains virtual
machine power
events, system
The same directory as the affected virtual failure
machine’s configuration files, named information, tools
Virtual
9. vmware.log and vmware*.log. For status and
machines
example, /vmfs/volumes/datastore/virtual activity, time
machine/vwmare.log sync, virtual
hardware
changes, vMotion
migrations,
machine clones,
and so on
Another important log file that I like to point out is the boot.gz file. It’s located in
/var/log/boot.gz. This one is important to troubleshoot slow boots and can indicate why the host
is hanging or freezing. I’ve found myself using it from time to time and it’s been helpful.
You can change the location of the syslog location under each host at the location below. To
specify a remote logging host, enter a value in the format of protocol://hostname:port. Example:
tcp://hostname:514
vCenter Logs
The VMware vCenter Server Appliance 6.x logs are located in
the /var/log/vmware/ folder. You can get to it either via the console interface or via ssh.
You can also export a bundle of logs via the vSphere Web Client.
Use this to troubleshoot issues with issues relating directly operation of the vCenter. Everything
from DB connectivity problems to vCenter crashes can be found here. This log will have a LOT
of information in it and is a good place to start on many issues.
invsvc\wrapper.log
sso\vmware-sts-idmd.log
This is a good log to use as a “one-stop-shop” for SSO authentication issues. Authentication
requests/failures, as well as problems with an identity source, will post here.
vsphere-client\logs\vsphere_client_virgo.log
A great place when troubleshooting errors within the Web Client. If you receive errors from
simply clicking on objects, you begin chasing them down here!