VMWARE ESXi logs

Last update: 16.03.2018

In this page I will collect search patterns I use to filter ESXi logs to search for relevant information. These are no way perfect but a start at least.

Update!! Most of these seems to work for ESXi 6.5.

ESXi 5.5

General

Label: All ESXi logs
Search string: type:vmware

Label: Logs with severity ERROR
Search string: type:vmware AND syslog_severity:error

Label: Logs with severity WARNING
Search string: type:vmware AND syslog_severity:warning

Storage

Label: High storage latency
Search string: message:esx.problem.scsi.device.io.latency.high AND program:vobd
Description: This occurs when either the latency ratio to the last time the log was updated is 30 or if the ratio doubled since the last log.

Label: Storage path selection issues
Search string: message:”Could not select path for device”
Description: Shows logs lines when hosts has issues selecting paths for a LUN.

Label: Lost storage connectivity
Search string: message:”Lost connectivity to storage device” AND program:Hostd
Description: ESXi server lost connection to storage.

Label: Lost storage path
Search string: message:”Lost path redundancy to storage device” AND program:Hostd
Description: ESXi server lost path to storage.

Label: Restored redundancy to storage
Search string: message:”Path redundancy to storage device” AND message:”is active again”
Description: ESXi server restored storage path redundancy to storage device.

Label: Could not select path for device errors
Search string: message:”Could not select path for device”
Description: ESXi server has issues selecting path for storage device.

Label: LUN – All paths down
Search string: message:”is the last path to NMP device”
Description: ESXi server lost a last path to storage device. All paths are down for storage device.

Label: LUNs detached by admin
Search string: program:Hostd AND message:”has been turned off administratively”
Description: Admin has detached a storage LUN.

Label: FC FRAME drop events
Search string: message:”FRAME DROP event”
Description: Could indicate issues with FC cards or drivers.

Security

Label:Client and Web logins to ESXi
Search string:message:”Accepted password for user” AND NOT message:”dcui” AND NOT message:”vpxuser” AND NOT message:”root”
Description:

Label:Failed Client and Web logins to ESXi
Search string: message:”Rejected password for user” AND program:Hostd
Description:

Label:User logins via SSH and Shell
Search string:message:”Accepted keyboard-interactive”
Description:

Label:Failed SSH and Shell logins
Search string:message:”error: PAM: Authentication failure for”
Description:

Label:Root user logins to ESXi
Search string:type:vmware AND message:”Hostd: Accepted password for user root”
Description:

Label:SSH login enabled on ESXi
Search string:message:”SSH: SSH login enabled” AND type:vmware
Description:

Label:Local admin AD group lookup failure
Search string:message:”nssquery: Group lookup failed for”
Description:Sometimes configured AD group for local admin rights lookup failes

 

Snapshots

Label:Successful snapshots
Search string:message:/.*.createsnapshot.*/ AND message:”Status success” AND message:”Task Completed”
Description:

Label:Failed snapshots
Search string:message:”Create Snapshot failed”
Description:

Label:Disk consolidation errors
Search string:message:”An error occurred while consolidating disks”
Description:

vMotions

Label:Successful vMotions
Search string:message:”Vmotion task succeeded with result: (vim.host.VMotionManager.VMotionResult)”
Description:

Network

Label: Network link down
Search string: type:vmware AND program:vobd AND message:vmnic AND message:”linkstate down”

Label: Network link up
Search string: type:vmware AND program:vobd AND message:vmnic AND message:”linkstate up”

Label: ESXi server ip confilct
Search string: type:vmware AND message:”[vob.net.vmknic.ip.duplicate] A duplicate IP address was detected for”

Label: Standard switch uplink redundancy lost
Search string: type:vmware AND message:”[esx.problem.net.redundancy.lost] Lost uplink redundancy on virtual switch”

Misc

Label: New VMs created
Search string: type:vmware AND message:”Created virtual machine”

Label: VM power on events
Search string: type:vmware AND program:Hostd AND message:”is powered on”

Label: VM power off events
Search string: type:vmware AND program:Hostd AND message:”is powered off”

Advertisements