Filtering/Excluding log entries in VMware vSphere ESXi
In our Homelabs, or even in production environments, we always have some harmless log entries that we would be happy to stop them from filling up our logs.
Caution: Reducing/suppressing/filtering log entries on an ESXi could introduce some “blind spots” or even hide issues when troubleshooting
In ESXi 6.x, VMware introduced the ability to filter or exclude log entries from the system logs using regular expressions (Filtering logs in VMware vSphere ESXi (2118562)).
To use log filtering we need to enable it first
-
Log in to the ESXi via SSH or console, using a user with root privileges.
-
We will change /etc/vmsyslog.conf so lets back it up
cp /etc/vmsyslog.conf /etc/vmsyslog.orig
- Now we can edit the file, since we back it up
vi /etc/vmsyslog.conf
Add the config:
enable_logfilters = true
Get the filters configured
- The filters are setup in /etc/vmware/logfilters and there is a specific syntax
numLogs | ident | logRegexp
- Parameters
- numLogs - how many times the log entry can appear before being filtered (setting 0 will filter all)
- ident - used to identity the source of the log entry. The available sources will be found under /etc/vmsyslog.conf.d/*.conf
- logRegexp - it will be the regular expression (Python regexp syntax) that will match the log entries to filter
- Configuring some filters in /etc/vmware/logfilters as an example:
vi /etc/vmware/logfilters
- Filtering some harmless SCSI log entries result of local storage rescanning
0 | vmkernel | 0x1a.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x2[04] 0x0
0 | vmkernel | 0x85.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0
0 | vmkernel | 0x12.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x24 0x0
0 | vmkernel | 0x9e.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0
0 | vmkernel | bad CDB .* scsi_op=0x9e
0 | vmkernel | 0x4d.* H:0x0 D:0x2 P:0x0 Valid sense data: 0x5 0x20 0x0</pre>
Reloading syslog to activate our filters
esxcli system syslog reload
Lets check the result
- Before we can see a consistent log entry every ~10/15 minutes
- Reloading syslog config and a timestamp to use as a reference
- After ~30 minutes, we would have some log entries, let see if they got filtered
- OK no log entries, but did anything else got logged during that period, lets grep for that period removing the entry logs that we want to filter and count the _newlines
Syslog logged 129 new log lines after we activated the filtering
Caution: Reducing/suppressing/filtering log entries on an ESXi could introduce some “blind spots” or even hide issues when troubleshooting