Logstash – VCSA 6.0

Logstash – VCSA 6.0

As I have begun upgrading portions of my lab to vSphere 6.x I came across the difference in parsing syslog messages from the new VCSA which was different than previous versions. I was basically getting grokparsefailure on every message coming into logstash. So I wanted to share a new parsing rule for logstash that seems to be working almost 100% of the time. The bold lines are what I have added new to my logstash parsing rules.

filter {
  if "vCenter" in [tags] {
    multiline {
      pattern => "-->"
      what => "previous"
    grok {
      break_on_match => true
      match => [
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:syslog_hostname} %{TIMESTAMP_ISO8601:syslog_timestamp} (?(?(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) \[%{DATA:message_service_info}]\ (?(%{GREEDYDATA})))",
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:syslog_hostname} %{TIMESTAMP_ISO8601:syslog_timestamp} (?(?(?:\[%{DATA:message_thread_id} %{DATA:syslog_level} \'%{DATA:message_service}\'\ ?%{DATA:message_opID}])) (?(%{GREEDYDATA})))",
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:syslog_hostname} (?:\[%{TIMESTAMP_ISO8601:syslog_timestamp} %{NOTSPACE} %{DATA:syslog_level} %{NOTSPACE:message_service}]) %{GREEDYDATA:syslog_message}",
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:syslog_hostname} %{TIMESTAMP_ISO8601:syslog_timestamp} %{GREEDYDATA:syslog_message}",
        "message", "<%{INT:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:syslog_hostname} %{GREEDYDATA:syslog_message}",
        "message", "%{SYSLOG5424BASE}.?.%{GREEDYDATA:syslog_message}"
    syslog_pri { }
    date {
      #match => [ "syslog_timestamp", "YYYY-MM-ddHH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss,SSS", "ISO8601" ] #For vCenter Appliance 5.x
      match => [ "syslog5424_ts", "YYYY-MM-ddHH:mm:ss,SSS", "YYYY-MM-dd HH:mm:ss,SSS", "ISO8601" ] #For vCenter Appliance 6.x
      #match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
      timezone => "UTC" #For vCenter Appliance
      #timezone => "America/New_York"
    if "_grokparsefailure" not in [tags] {
      mutate {
        replace => [ "host", "%{syslog_hostname}" ]
    if "syslog5424_host" {
      mutate {
        replace => [ "host", "%{syslog5424_host}" ]
    if "syslog5424_app" {
      mutate {
        add_field => [ "syslog_program", "%{syslog5424_app}" ]
    mutate {
      add_tag => [ "pre-processed" ]

Example Kibana view.

Screen Shot 2015-04-22 at 4.40.36 PM

To configure the VCSA for logging to a remote syslog server is as easy going to Home|Administration|System Configuration|Services and then VMWare Syslog Service. Now click manage and edit to configure.

Screen Shot 2016-01-15 at 9.34.11 PM


Screen Shot 2016-01-15 at 9.39.15 PM

After setting the above and clicking OK you can view the summary page to ensure that your new remote syslog server shows up as below.

Screen Shot 2016-01-15 at 10.08.36 PM

If it does not then you can select restart from the Actions drop-down and restart the syslog server and all should be good.



6 thoughts on “Logstash – VCSA 6.0

  1. Hey,

    Thanks for the filter. Can you actually show how you have vcsa configured for to point to logstash for syslog? I am running Sex!Log and trying to get vCSA pointing to it but having trouble getting it to not working. I followed the same steps as if I was setting it up to point to loginsight: http://pubs.vmware.com/log-insight-20/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-ABB7293F-5978-478D-AD57-BBC5E1E60B0E.html

    my /etc/syslog-ng/syslog-ng.conf

    source vpxd {
    file(“/var/log/vmware/vpx/vpxd.log” follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/vpxd-alert.log” follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/vws.log” follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/vmware-vpxd.log” follow_freq(1) flags(no-parse));
    file(“/var/log/vmware/vpx/inventoryservice/ds.log” follow_freq(1) flags(no-parse));
    destination sexilog { udp(“” port(514)); };
    log { source(vpxd); destination(sexilog); };

  2. I have successfully confgured vCenter 6 appliance to send logs to sexilog.
    The following two are missing in the log deail in the dashboard.
    Hostname & message_program

    Can you please post the path/config file to update ?

Leave a Reply

Your email address will not be published. Required fields are marked *