A Newbie’s Guide to ESXi and VM Log Files

Save to My DOJO

A Newbie’s Guide to ESXi and VM Log Files

 

A VMware ESXi instance will generate a ton of events throughout its lifetime. These events, depending on type, will be written to one or more log files, the bulk of which are found under /var/log in the ESXi filesystem. As with any log file, the idea here is to help you and others troubleshoot issues and keep an eye on things by perhaps forwarding important events to a syslog server and such. Log files also make for an excellent audit trail so you can determine, for instance, who or what is accessing your hosts, VMs, etc.

As per VMware’s documentation, I’ve listed eight of the most frequently used log files on ESXi.

Some of the log files present on an ESXi host

Some of the log files present on an ESXi host

 

Note: If you are experiencing problems with ESXi you may consider patching to ensure you have the latest bugs fixed.

 

VM Log Files


In addition to the above, every Virtual Machine hosted on ESXi will have corresponding VM log files called vmware.log recording events related to machine activity, system failures, hardware changes, migrations, status and so on. To view the log file, SSH to the ESXi host and navigate to the datastore on which the VM folder resides.

The path to the log file should be similar to /vmfs/volumes/<datastore>/<virtual machine>/vwmare.log as shown in the next screenshot.

Displaying the contents of a VM's log file on ESXi

Displaying the contents of a VM’s log file on ESXi

 

There are some adjustments you can make to the log rotation and logging options for a VM. I’ve summarized these as follows:

  • Disable or enable logging: Set the logging value in the VM’s VMX file to false or true respectively. You can do this by editing the VM’s settings (VM Options -> Advanced -> Edit Configuration) in vSphere Web client as shown.
Modifying the log file options for a VM

Modifying the log file options for a VM

 

Alternatively, logging can be enabled or disabled via the Enable Logging option. It is also possible to include diagnostic information via the Debugging and statistics drop down box.

Enabling logging for a VM in vSphere Web client

Enabling logging for a VM in vSphere Web client

 

  • Logfile size: Similarly, you can control the log file size by adding the log.rotateSize to VM’s VMX file. Ex: log.rotateSize=1024000 sets the log file maximum size to 1 MB.
  • Logfile retention: To set the level of log file rotation, add the log.keepOld value to the VM’s VMX file. Ex: log.keepOld=5 sets a maximum of 5 log files at any one instance, with the oldest being overwritten when a new log file is created. You’ll find these listed as vmware.log, vmware-1.logvmware-n.log.
  • Logfile name: To change the log file filename and/or location, add the log.fileName to the VM’s VMX file. Ex: log.fileName=vmLog.txt or  log.fileName=/vmfs/volume/VMLogFiles/vm1Log.txt.

Note: The above should work for most pre-ESXi 6.5 versions as per this KB. I’ve also tested this on ESXi 6.5 and the only parameter that seems to be unsupported is log.fileName in that the vmware.log filename is retained regardless of the value set.

 

Viewing ESXi log file contents


From Shell

An easy way to view logfiles on VMware ESXi is to SSH to the host and use old fashioned Linux commands such as cat, more, less, tail and head with a little bit of grep thrown in for filtering. Here are a couple of examples.

In this first one, I’m displaying the last 15 lines from the vmkwarning.log using the command tail -n 15 <filename>. This is marked (1) in the next screen screenshot. The text labeled (2), tells us that the host is failing to connect to host 192.168.20.20. As it turns out, 192.168.20.20 happens to be the IP address of a replication server I had set up on a second vCenter instance, which was powered off at the time.

Tailing and inspecting the content of a VMware ESXi log file

Tailing and inspecting the content of a VMware ESXi log file

 

Here’s another example, where I use the auth.log log file to determine if connections are being established from subnet 192.168.11.0 and by whom. To do this, cat auth.log and pipe it into grep filtering by the string 192.168.11 as shown. The output shows a number of successfully established SSH connections via the root account from the 192.168.11.45.

Using the auth.log file on ESXi to determine who accessed the host

Using the auth.log file on ESXi to determine who accessed the host

 

Using the ESXi host client

The ESXi host client makes it even easier to view the contents of a select number of log files. Navigate to Monitor -> Logs to view the list of logfiles available for viewing. Highlighting a log file, displays the contents in the underlying pane which can be copied to the clipboard and exported to file.

Viewing ESXi log files using the ESXi host client

Viewing ESXi log files using the ESXi host client

 

You can also generate a log bundle (see next section) using the Generate support bundle button labeled (4) in the above screenshot. When the task finishes, you are prompted to download the bundle to a folder on your computer.

Downloading a generated bundle file using the ESXi host client

Downloading a generated bundle file using the ESXi host client

 

Generating an ESXi Log Bundle


There may be times where you simply cannot solve an issue. Calling VMware support is one way to go about it and if you do, generating a log or host support file bundle is one thing you’ll be asked to do. This is then uploaded to VMware for further troubleshooting and diagnostics.

We’ve already seen how the bundle is generated via the ESXi host client. There are a couple more methods you can use.

The first is to run /usr/bin/vm-support from within an SSH session while logged as root. Once the bundle file is generated, you can copy it using scp or similar.

Generating an ESXi log bundle via script

Generating an ESXi log bundle via script

 

The second method is easier. Just point a browser to http://<ESXi IP address/cgi-bin/vm-support.cgi. You are promoted for the host’s credentials after which, the vm-support script is executed on ESXi. The generated bundle is then downloaded as a compressed tar file (TGZ). The process may take a while depending on the size of the logs, host utilization, uptime, etc.

Generating and downloading an ESXi log bundle via a CGI script

Generating and downloading an ESXi log bundle via a CGI script

 

You can then upload the bundle to VMware’s site using the vSphere Web client. Just navigate to Administration -> Support -> Upload File to Service Request and click on the Upload File to Service Request button. Finish off by selecting the bundle file with the Choose File button and press OK.

upload bundle

 

This post should have given you a basic introduction to some of the log files generated by VMware ESXi and VMs and how they are used to troubleshoot and diagnose problems. We’ve also had a look at ways by which a support bundle is generated whenever VMware support is called for.

For further details, have a look at the System Log Files section on the vSphere 6.5 documentation website.

[the_ad id=”4738″][the_ad id=”4796″]

Altaro VM Backup
Share this post

Not a DOJO Member yet?

Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!

6 thoughts on "A Newbie’s Guide to ESXi and VM Log Files"

Leave a comment

Your email address will not be published.

Microsoft 365 Security checklist - free eBook