VMware vSphere
VMware vSphere is a virtualization and cloud computing platform that allows organizations to create, run, and manage virtual machines (VMs) and cloud-based services. It is a suite of software products that provide a complete virtualization infrastructure, including virtualized computing, networking, storage, and security resources.
vSphere allows multiple operating systems and applications to run on a single physical server or cluster of servers, which enables organizations to consolidate their IT infrastructure and reduce hardware costs. It also provides features like High Availability (HA), Distributed Resource Scheduler (DRS), and Fault Tolerance (FT) to increase the reliability and availability of virtualized applications.
App Function
This app comes with rules, dashboards, and triggers, all customized to work specifically for vSphere, prepared for a multitude of uses.
The app rules are to parse user tags from the incoming log messages. There are 123 possible user tags that can be gleaned from vSphere log messages. All are enabled by default, but it is strongly recommended that the particular user tags of interest are specifically enabled and the remainder disabled. This is because each possible user tag has a performance cost, and checking for user tags that are not of interest is wasteful.
To select the user tags of interest, after the app is installed the
/etc/logzilla/apps/vmware/config/vmware-config.yaml file should be edited.
The top of the YAML file has a section titled DESIRED_USER_TAGS. On each
successive line below that should be listed the user tags that are to be
looked for in the incoming log messages. For each user tag, there is an
entry in the USER_TAG_DEFINITIONS section below that indicates what
log messages that user tag corresponds with. So the default vmware-config.yaml
lists all 123 user tags, and it is strongly recommended that in that section
each individual line containing a user tag that is not of interest should
be deleted.
Vendor Documentation
Incoming Log Format
The incoming log messages are received through syslog as standard syslog messages. There are two log formats, both in use simultaneously.
In the first format, the message text itself consists first of a date-timestamp followed by a word indicating the severity or criticality of the message, then a process name and id, followed by some key-value pairs, followed by the message text.
In the second format, the message text consists of a date-timestamp, followed by a thread id, followed by key-value pairs, followed by an event id, and lastly the message text.
Although the formats differ, the app rules are able to parse both formats to retrieve the user tag information.
Parsed Metadata Fields
These are the fields / user tags that are parsed from the log messages:
| vSphere User Tag Name |
|---|
vmw_config_type |
vmw_device_changed |
vmw_esx_shell_command |
vmw_esx_shell_user |
vmw_esxi_audit |
vmw_esxi_auth_failed_source |
vmw_esxi_auth_failed_user |
vmw_esxi_auth_source |
vmw_esxi_auth_type |
vmw_esxi_auth_user |
vmw_esxi_cli_command |
vmw_esxi_connect_source |
vmw_esxi_connectivity_component |
vmw_esxi_drs_from |
vmw_esxi_drs_to |
vmw_esxi_drs_vm |
vmw_esxi_esxupdate_command |
vmw_esxi_firewall_operation |
vmw_esxi_firewall_ruleset |
vmw_esxi_hostd_auth_user |
vmw_esxi_iscsi_server |
vmw_esxi_nfs_datastore |
vmw_esxi_nfs_server |
vmw_esxi_nfs_status |
vmw_esxi_nsx_severity |
vmw_esxi_permission_event |
vmw_esxi_portgroup |
vmw_esxi_problem |
vmw_esxi_problem_datastores |
vmw_esxi_scsi_additional_sense_code |
vmw_esxi_scsi_additional_sense_code_qualifier |
vmw_esxi_scsi_device_status |
vmw_esxi_scsi_host_status |
vmw_esxi_scsi_latency |
vmw_esxi_scsi_plugin_status |
vmw_esxi_scsi_sense_code |
vmw_esxi_scsi_sense_data |
vmw_esxi_severity |
vmw_esxi_snapshot_operation |
vmw_esxi_snmp_trap_name |
vmw_esxi_snmp_trap_oid |
vmw_esxi_sub |
vmw_esxi_uptime |
vmw_esxi_vim_datastore |
vmw_esxi_vmdowntime |
vmw_esxi_vmfs_heartbeat_datastore |
vmw_esxi_vmfs_volume_guid |
vmw_esxi_vmk_component |
vmw_esxi_vmk_world |
vmw_esxi_vmkernel_net_vm_name |
vmw_esxi_vmotion_bandwidth |
vmw_esxi_vmotion_opid |
vmw_esxi_vmotion_type |
vmw_esxi_vmotiondst_opid |
vmw_esxi_vmprecopybandwidth |
vmw_esxi_vmprecopystuntime |
vmw_esxi_vms |
vmw_fdm_state |
vmw_ha_component |
vmw_ha_component_operation |
vmw_ha_guesthb |
vmw_ha_slave |
vmw_hatask |
vmw_hostd_vmotion_id |
vmw_opid |
vmw_recordop |
vmw_recordop_action |
vmw_rsv_source |
vmw_rsv_time |
vmw_scsi_path_state |
vmw_scsideviceio_pid |
vmw_task_status |
vmw_user |
vmw_vc_alarm_source |
vmw_vc_alarm_status |
vmw_vc_alarm_type |
vmw_vc_api_invocations |
vmw_vc_auth_failed_source |
vmw_vc_auth_failed_user |
vmw_vc_auth_source |
vmw_vc_auth_type |
vmw_vc_auth_user |
vmw_vc_custom_field_name |
vmw_vc_custom_field_on_vm |
vmw_vc_drs_migrate_cluster |
vmw_vc_drs_migrate_datastore |
vmw_vc_duplicate_ip_vm1 |
vmw_vc_duplicate_ip_vm2 |
vmw_vc_fdm_state |
vmw_vc_file_action |
vmw_vc_mks_host |
vmw_vc_msg_info |
vmw_vc_msg_vm |
vmw_vc_power_host |
vmw_vc_power_status |
vmw_vc_power_vm_name |
vmw_vc_reconfig_on |
vmw_vc_rhttpproxy_error |
vmw_vc_task_method |
vmw_vc_task_object |
vmw_vc_task_operation |
vmw_vc_task_status |
vmw_vc_task_type |
vmw_vc_vmodl_fault |
vmw_vc_vmotion_from |
vmw_vc_vmotion_precopystuntime |
vmw_vc_vmotion_to |
vmw_vc_vpxd_clientip |
vmw_vc_vpxd_hearbeat_host |
vmw_vc_vpxd_username |
vmw_vim_fault_type |
vmw_vm_heartbeat_source |
vmw_vm_heartbeat_status |
vmw_vm_state_transition_post |
vmw_vm_state_transition_pre |
vmw_vm_vmx_name |
vmw_vmfs_heartbeat_status |
vmw_vmkernel_vmotion_id |
vmw_vmotion_status |
vmw_vob_component |
vmw_vob_event_type |
vmw_volume_name |
vmw_vsphere_op_time |
Log Examples
Log Format 1
- - 2022-10-07T01:31:23.561Z info vpxd[06166] [Originator@6876 sub=Default opID=sps-Main-670825-661-106283-91] [VpxLRO] -- ERROR session[52209c62-c72c-38b9-47de-a9cde9fc032f]521ac939-f711-0fa9-41fc-62fad40b3af9 -- CatalogSyncManager -- vim.vslm.vcenter.CatalogSyncManager.queryCatalogChange: vmodl.fault.NotSupported:\n--> Result:\n--> (vmodl.fault.NotSupported) {\n--> faultCause = (vmodl.MethodFault) null, \n--> faultMessage = <unset>\n--> msg = ""\n--> }\n--> Args:\n--> \n--> Arg catalogChangeSpec:\n--> (vim.vslm.CatalogChangeSpec) {\n--> datastore = 'vim.Datastore:datastore-4421', \n--> startVClockTime = (vim.vslm.VClockInfo) {\n--> vClockTime = 0\n--> }, \n--> fullSync = false\n--> }
Log Format 2