A few days ago I was required to obtain some audit logs from our SIEM system (Sumologic) and from vCenter and I noticed that our vCenter logs weren’t going in to Sumologic and that the log files required for SSO auditing or the VPXD log (where, among other things, stipulates what client was used by who to connect) were rotating every 7 days. This was not good. So I decided what better time than now to forward vCenter syslogs to Sumologic.
It was a little more complex than just enabling syslog through appliance management as by default, this does not collect the SSO logs, like:
- /var/log/vmware/sso/ssoAdminServer.log – Auditing SSO logins
- /var/log/vmware/sso/vmware-identity-sts.log – Auditing SSO user changes
I found this out by scouring the internet and piecing little pieces together and eventually, creating a rock solid syslog source for our vCenter Servers.
Please note: This is not an officially supported configuration by VMware and for larger environments, this could potentially have an impact on the vCenter Server service, so please take caution in the logs you decide to forward. And as always, test this in a lab first.
I also want to mention that this needs to be done on each VCSA instance, i.e. if you have a vCenter with an External PSC, this would need to be done on both servers, in order to collect all the logs.
So, lets begin: