Filtering/Excluding log entries in VMware vSphere ESXi

  2 minute read

In our Homelabs, or even in production environments, we always have some harmless log entries that we would be happy to stop them from filling up our logs.

Caution: Reducing/suppressing/filtering log entries on an ESXi could introduce some “blind spots” or even hide issues when troubleshooting

In ESXi 6.x, VMware introduced the ability to filter or exclude log entries from the system logs using regular expressions (Filtering logs in VMware vSphere ESXi (2118562)).

To use log filtering we need to enable it first

  • Log in to the ESXi via SSH or console, using a user with root privileges.

  • We will change /etc/vmsyslog.conf so lets back it up

cp /etc/vmsyslog.conf /etc/vmsyslog.orig
  • Now we can edit the file, since we back it up
vi /etc/vmsyslog.conf

Add the config:
   enable_logfilters = true

Backup vmsyslog.conf

Get the filters configured

  • The filters are setup in /etc/vmware/logfilters and there is a specific syntax
numLogs | ident | logRegexp
  • Parameters
    • numLogs - how many times the log entry can appear before being filtered (setting 0 will filter all)
    • ident - used to identity the source of the log entry. The available sources will be found under /etc/vmsyslog.conf.d/*.conf
    • logRegexp - it will be the regular expression (Python regexp syntax) that will match the log entries to filter
  • Configuring some filters in /etc/vmware/logfilters as an example:
vi /etc/vmware/logfilters
  • Filtering some harmless SCSI log entries result of local storage rescanning
0 | vmkernel | 0x1a.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x2[04] 0x0
0 | vmkernel | 0x85.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0
0 | vmkernel | 0x12.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0
0 | vmkernel | 0x9e.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0
0 | vmkernel | bad CDB .* scsi_op=0x9e
0 | vmkernel | 0x4d.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0</pre>

Reloading syslog to activate our filters

esxcli system syslog reload

Lets check the result

  • Before we can see a consistent log entry every ~10/15 minutes

Before Setting up the filters

  • Reloading syslog config and a timestamp to use as a reference

Syslog Service reload

  • After ~30 minutes, we would have some log entries, let see if they got filtered

After setting up filters

  • OK no log entries, but did anything else got logged during that period, lets grep for that period removing the entry logs that we want to filter and count the _newlines

Count log entries logged during testing period

Syslog logged 129 new log lines after we activated the filtering

Caution: Reducing/suppressing/filtering log entries on an ESXi could introduce some “blind spots” or even hide issues when troubleshooting

Leave a comment

Your email address will not be published. Required fields are marked *

Loading...