ESXi Host Logs

ESXi records host activity in log files, using a syslog facility. Typically one of the easiest and
fastest ways to check these log files out is using tools like cat on the command line. You can also
view various logs through the DCUI as well. All VMware hosts run a service for logging system
information. This service, vmsyslogd, logs messages from the VMkernel and other system
components for auditing and diagnostic purposes. By default, the logs are directed to a local
scratch location or ramdisk. The scratch space is created automatically during ESXi installation
in the form of a 4 GB Fat16 local scratch partition. If storage space is unavailable, the host will
store data on a ramdisk, which is not persistent across reboots. That being the case, many
admins choose to send these logs to a persistent datastore or remote logging server for retention.
One of the most important things to know is that it’s important to realize where you’re installing
ESXi. If you opt to install it to a USB stick or sdcard, if the host crashes, that can make for a bad
day! This means that you’ll want to pay extra attention and have the logs written to a central
logging location. I’ll highlight some of the most popular logs below and indicate what they do. I
highly recommend having a syslog server of some sort in your environment.

Component Location Purpose

1. VMkernel /var/log/vmkernel.log ESXi

Records activities
VMkernel
2. /var/log/vmkwarning.log related to virtual
warnings
machines

Used to
determine uptime
VMkernel and availability
3. /var/log/vmksummary.log
summary statistics for ESXi
(comma
separated)

Contains
information about
the agent that
ESXi host manages and
4. /var/log/hostd.log
agent log configures
the ESXi host and
its virtual
machines
 Contains
information about
the agent that
vCenter agent communicates
5. /var/log/vpxa.log
log with vCenter
Server (if the host
is managed by
vCenter Server)

ESXi Shell as
well as shell
events (for
6. Shell log /var/log/shell.log
example, when
the shell was
enabled)

Contains all
events related to
7. Authentication /var/log/auth.log
authentication for
the local system

Contains all
general log
messages and can
be used for
System
8. /var/log/syslog.log troubleshooting.
messages
This information
was formerly
located in the
messages log file

Contains virtual
machine power
events, system
The same directory as the affected virtual failure
machine’s configuration files, named information, tools
Virtual
9. vmware.log and vmware*.log. For status and
machines
example, /vmfs/volumes/datastore/virtual activity, time
machine/vwmare.log sync, virtual
hardware
changes, vMotion
migrations,
 machine clones,
and so on

Another important log file that I like to point out is the boot.gz file. It’s located in
/var/log/boot.gz. This one is important to troubleshoot slow boots and can indicate why the host
is hanging or freezing. I’ve found myself using it from time to time and it’s been helpful.

You can change the location of the syslog location under each host at the location below. To
specify a remote logging host, enter a value in the format of protocol://hostname:port. Example:
tcp://hostname:514

vCenter Logs
The VMware vCenter Server Appliance 6.x logs are located in
the /var/log/vmware/ folder. You can get to it either via the console interface or via ssh.
You can also export a bundle of logs via the vSphere Web Client.

vCenter Server Appliance Log

Purpose
Location

10. vpxd/vpxd.log The main vCenter Serverlog

Profile metrics for operations performed in

11. vpxd/vpxd-profiler.log
vCenter Server
 Non-fatal information logged about the
12. vpxd/vpxd-alert.log
vpxd process

13. perfcharts/stats.log VMware Performance Charts

14. eam/eam.log VMware ESX Agent Manager

15. invsvc VMware Inventory Service

16. netdumper VMware vSphere ESXi Dump Collector

17. vapi VMware vAPI Endpoint

18. vmdird VMware Directory Service daemon

19. syslog vSphere Syslog Collector

VMware vSphere Profile-Driven Storage

20. vmware-sps/sps.log
Service

21. vpostgres vFabric Postgres database service

22. vsphere-client VMware vSphere Web Client

VMware System and Hardware Health

23. vws
Manager

24. workflow VMware vCenter Workflow Manager

25. SSO VMware Single Sign-On

Some important ones to keep in mind:

vmware-vpx\vpxd.log

Use this to troubleshoot issues with issues relating directly operation of the vCenter. Everything
from DB connectivity problems to vCenter crashes can be found here. This log will have a LOT
of information in it and is a good place to start on many issues.

invsvc\wrapper.log

Used to troubleshoot why the inventory service will not start.

sso\vmware-sts-idmd.log

This is a good log to use as a “one-stop-shop” for SSO authentication issues. Authentication
requests/failures, as well as problems with an identity source, will post here.

vsphere-client\logs\vsphere_client_virgo.log

A great place when troubleshooting errors within the Web Client. If you receive errors from
simply clicking on objects, you begin chasing them down here!