Step 3. Configure Syslog on the Host

Configure syslog within the host for message forwarding.


You should forward only relevant events from the host to the Collector. Forwarding a large number of syslog events can overwhelm the Collector server.

Step 3a. Configure Syslog on ESX 4.x

  1. Open the host firewall to allow syslog outgoing traffic:

esxcfg-firewall -openPort 514,udp,out,syslog

  1. Reload the host firewall configuration:

esxcfg-firewall –load

  1. On the host, modify the /etc/syslog.conf file on the ESX Console OS to point it at the Collector systems.


Because of the High Availability features of the VE Service, the monitoring of any given host may move from one Collector to another.

Therefore, to ensure that syslog messages are always logged, you should configure syslog.conf to forward messages to the Collector, that is, monitoring of this specific host.If the monitoring job containing this host is moved to another Collector (either manually, or because of HA-failover) then the syslog.conf file on the host must be reconfigured to point to the new Collector.

For example, to forward Critical and higher FTP events to the Collector with IP address of, syslog.conf should include the following line:

ftp.crit @

To write messages to the file for testing purposes, add another line:

ftp.crit /var/log/ftp.log

  1. Save the syslog.conf file.


More information on the syslog.conf settings can be found on the syslog.conf main page.

  1. Restart syslog service on the host:

service syslog restart

  1. Test the syslog configuration on the host:
  1. Tail the log file and leave it open:

tail -f /var/log/ftp.log

  1. Add a critical test message:

#/usr/bin/logger -p ftp.crit "This is a test"

If you have configured syslog correctly, the logger command will generate a message, write it to /var/log/ftp and send it to the Collector with IP address of

Step 3b. Configure Syslog on ESX 5.x

  1. Display current syslog configuration on the host:

esxcli system syslog config get

  1. Set new host configuration using a command similar to:

esxcli system syslog config set --logdir=/path/to/vmfs/directory/ --loghost=RemoteHostname --logdir-unique=true|false --default-rotate=NNN --default-size=NNN

For example, to configure remote syslog using UDP on port 514, use the following command (note that Veeam Collectors use only UDP connection to gather syslog messages):

esxcli system syslog config set --loghost='udp://'

If you want to monitor logs from another directory, also specify the following parameter:

--logdir=/path/to/vmfs/directory/ --logdir-unique=true

Note that in this case the logdir-unique parameter must be set to true.


For more information on configuring local and remote logging using the esxcli commands, see this VMware KB article.

  1. Reload the new configuration:

esxcli system syslog reload

  1. Open the host firewall to allow syslog outgoing traffic:

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

  1. Reload the host firewall configuration:

esxcli network firewall refresh

  1. Check port availability:

nc -z <IP Address> <Port Range in abc - xyz format>


nc -z <collectorHostName> <Port Range in abc - xyz format>

After you perform all the steps above, Veeam VMware logs will be populated with syslog events with the 900 id on a machine where the Collector runs.

If you want to check that syslog messages are successfully logged, run the following command, open logs and search for the test message:

esxcli system syslog mark –message “Syslog test”


If you want to filter syslog events on the vCenter server itself, before messages are sent to the Collector, you will need to perform additional configuration:

  1. In vSphere Client, select the host, go to the Configuration tab and click Advanced Settings.
  2. Navigate to the Config-HostAgent-log section and change the Config.HostAgent.log.level and Vpx.Vpxa.config.log.level values, for example, to ‘warning’. These settings are responsible for sending messages from the global log and vCenter agent logging levels correspondingly. By default, both severity levels are ‘verbose’, so that detailed syslog messages will be forwarded.