Sexilog No Data in Kibana

[twizod]

I setup Sexilog as NFS Server and mount /sexilog in VCSA vsphere 5.5 appliance to ship logs. I restarted VCSA to take up mount and confirmed it was mounted and logs were being written to Sexilog /sexilog directory as root:root but no data was showing up in Kibana. How do fix this? I ran:
chmod -R 777 . /sexilogs and I ran
chown elasticsearch:elasticsearch in /sexilogs/*
Restarted services but nothing changed.

[sexibytes]

You have to send them in via syslog protocol so logstash could push the data in elasticsearch, not put the log on the appliance filesystem. Kibana only talks to ES.

[twizod]

Thanks for the quick response and that helped me tremendously even it'll mean more lovely firewall requests 👍
Everything is working great now. Is there an RTFM for this? I clicked the link and it was dead. Awesome device thanks so much for taking the time!

[sexibytes]

Your very welcome, thanks for your feedback ! Which link is dead ?

[twizod]

I can't find the link so disregard. I have logging working but I only see one server in my cluster showing up in sexilog. I have enabled udp logging to port 514 for the IP for the sexilog server. Is this supposed to happen? Any suggestion? Sorry to bother you again.

[zeroluck]

I'm running vCenter Server Appliance 6.0 U2 and following the VMware KB referenced in http://www.sexilog.fr/rtfm/ doesn't seem to send any vcenter logs to SexiLog. I've listened on TCPdump on the sexilog box and I don't see any traffic coming from my vcenter host. Have you guys had any success with this?

I have this in my /etc/syslog-ng/syslog-ng.conf file on my vcenter server appliance:

source vpxd {
       file("/var/log/vmware/vpx/vpxd.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vpxd-alert.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vws.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/vmware-vpxd.log" follow_freq(1) flags(no-parse));
       file("/var/log/vmware/vpx/inventoryservice/ds.log" follow_freq(1) flags(no-parse));
};

# Remote Syslog Host
destination remote_syslog {
       tcp("10.0.50.34" port (514));
};

# Log vCenter Server vpxd log remotely
log {
        source(vpxd);
        destination(remote_syslog);
};

[nsnsc03]

It took me a little searching but you have to allow syslog through the esxi firewall. Host-->configuration-->security profile-->firewall properties-->check the box next to syslog.

[vmdude]

Indeed, as explained here http://www.sexilog.fr/quickstart/

As instructed by the VMware KB2003322 you may need to open the VMware ESXi™ firewall to let the syslog traffic pass through.

[m49808]

@zeroluck did you ever figure this out? I have the same issue with the same version.

[tomasfrey]

Hi, on vCenter Server Appliance 6.0 U2 we have same behaviour, looks like vmware changed method of processing syslogs, instead of syslogNG is now used rSyslog. Way to send syslog to sexilog is partialy covered by this article: http://www.virtuallyghetto.com/2015/03/a-preview-of-native-syslog-support-in-vcsa-6-0.html

[m49808]

i tried the steps in that article, but still not seeing data i would expect. Is this still a product being supported? seems as the VCSA continues to evolve sexilog is getting less and less data.

[rschitz]

SexiLog was initially design for ESXi logs. We need to work on VCSA logs indeed.