I am configuring the vCSA syslog to a third-party syslog server (e.g. a Splunk forwarder) via UDP port 514 (see the instruction in http://www.virtuallyghetto.com/2015/03/a-preview-of-native-syslog-support-in-vcsa-6-0.html). The syslog server receives the log from the vCSA. However, the VMware Syslog Service Health Messages reports a “Syslog endpoint servername:514 is unreachable” critical error.
It turns out the vCSA syslog uses the TCP port 514 for the syslog server health check. Since my syslog server (like many normal syslog servers) only licenses on the UPD port 514, the vCSA health check reports the syslog sever is not reachable.
Solution
- Find a TCP port that the syslog server is licensing. Any licensing TCP port should work, it does not have to relate to the syslog.
- SSH to vCSA
- cd /etc/vmware-syslog
- vi vmware-syslog-health.properties
- Change the “cls.strata.ping.port” setting to the TCP port licensing on the syslog server (the default is 514)
- Save the setting
- Restart the VMware Syslog Service
- Check the VMware Syslog Service Health Messages, it should show “Syslog endpoint <servername>:<tcp port> reachable”
Thanks that was a tricky config that VMware doesn't document well or at all.
ReplyDelete