Where are ESXi logs?

ESXi is VMware’s bare-metal hypervisor that installs directly onto server hardware to manage virtualized workloads. As with any server environment, logging is critical for monitoring performance, utilization, and troubleshooting issues. This guide will walk through the key locations of ESXi log files, how to access them, as well as best practices for managing logs to optimize the host.

Where are ESXi logs?

vSphere Client

ESXi logs are available through the vSphere Client GUI for basic monitoring without needing direct host access. The main log is visible under the “Monitor” tab showing recent tasks, events, and alarms triggered on the host.

More detailed logging is available under the “Resource” section for hardware/driver details, VM events, etc. These provide quick insight without needing to dig through log files directly on the host.

ESXCLI System Logs Command

For more advanced troubleshooting, the ESXCLI command line utility allows viewing logs directly from the ESXi shell. The esxcli system logs set of commands expose various logging subsystems:

esxcli system logs list

   Type  Name                

   —– ——————–

   mem   /var/run/log/vmkernel-zdump.0.gz

   etc   /var/log/hostd.log

         /var/log/vmkernel.log

         /var/log/vpxa.log

This allows passing log filenames to functions to retrieve contents. For example to view the top of vpxa.log:

esxcli system logs follow -f /var/log/vpxa.log -n 150

 (pauses to show last 150 lines of log)

See KB article 2031657 for full usage details.

Direct Log File Access

The ESXi file system also contains log files directly accessible via SSH or console. Key log locations include:

/var/log – Contains general system/kernel logs:

  • hostd.log: logs for ESXi host agent
  • vpxa.log: logs for vpxa service managing vCenter communication
  • fdm.log: logs for native file system management

/var/run/log – VMkernel and storage logging:

  • vmkernel.log: kernel logs for resource management, hardware, drivers
  • vmkwarning.log: VMkernel warning messages
  • vmksummary.log: condensed VMkernel logging for faster review

/var/core – Core dump logs from major failures:

  • vmcore:* Memory core dumps for analysis after failures
  • core:* Process core dumps after crashes

/scratch/log – Support and Stats logging:

  • esxtop.log: logs for esxtop monitoring utility
  • vcsa-deploy.log: vCenter Server Appliance deployment logs
  • hostd-probe.log: Hardware detection details

These allow deeper troubleshooting for when vSphere logs are insufficient. Access requires opening SSH session or console to directly examine files.

Log Management Best Practices

With logs scattered across the host file system, some guidelines help managing them effectively:

  • Configure remote syslog: Ship logs to centralized aggregation tool for long term retention and correlation.
  • Monitor log sizes: Rotate large logs like hostd.log to avoid filling filesystem.
  • Search across logs: Use log tools with indexing to search across logs for matching entries.
  • Interpret key logs: Get to know critical logs like vmkernel during familiarization.
  • Correlate logs: Review related management, resource and networking logs together.
  • Delete obsolete logs: Remove deprecated logs from old products after upgrades.

Following these practices makes tracking down issues much simpler at scale rather than digging through countless text logs.

Key Takeaways:

  • ESXi hypervisor logs are accessible through vSphere Client, ESXCLI commands, and directly on the host filesystem
  • /var/log contains general system and management logs like hostd.log
  • /var/run/log has VMkernel, storage, and hardware driver logs
  • Enable remote syslog to aggregate logs to a central monitoring system
  • Log sizes and growth rates should be tracked to avoid overfilling storage
  • Search tools help correlating events across different subsystem logs
  • Follow best practices for managing, interpreting, correlating logs across hosts

Frequently Asked Questions:

Q: Where is the main ESXi log file located?
A: The main ESXi system log is /var/log/hostd.log which records logs for the hostd agent managing the host.

Q: How can I see ESXi logs in vSphere Client?
A: In vSphere Client, go to the Monitor tab. The Recent Tasks pane shows recent operations, events, and alarms triggered on the host.

Q: What log shows historical performance data?
A: esxtop.log found in /scratch/log captures historical performance statistics from the esxtop monitoring utility.

Q: What is the vmkernel log file path?
A: The main vmkernel log is /var/run/log/vmkernel.log recording logs related to VMkernel resource management.

Q: Where are hardware driver logs stored?
A: Logs related to storage, network, and other hardware drivers are found under /var/run/log including vmkernel logs.

Q: How do I open SSH to access ESXi logs?
A: SSH can be enabled in the ESXi host settings through vSphere Client allowing log access using Linux commands like tail, grep, etc.

Q: What log shows historical Syslog data?
A: The Syslog is consolidated into /var/log/hostd.log for review including historical records.

Q: Where are core dump logs stored?
A: Core memory dumps from major failures are stored under /var/core/ for analysis by VMware support.

Q: How can I analyze old logs if rotated?
A: Log rotation archives older logs into compressed .gz files, zgrep, zcat can read these compressed logs.

Q: What is the vminfo.log?
A: vminfo.log found in /var/log records VMware tools installer messages and guest OS details.

Q: How do I track disk space used by logs?
A: du and df commands report filesystem disk space usage, help spot check log file growth.

Q: What log shows NTP time synchronization errors?
A: The hostd.log monitors NTP status and records time synchronization errors and warnings.

Q: Where are vCenter agent logs stored?
A: vpxa.log found in /var/log contains messages from the vCenter agent for management events.

Q: How long are logs retained on ESXi by default?
A: Log rotation config determines retention, often 2 weeks. Remote syslog should capture logs long term.

Q: What log shows lock contention errors?
A: vmkernel.log has details on resource contention including locking and multipathing issues.

Q: What logs host firewall details?
A: The hostd.log contains records of firewall rule changes and ipset configuration.

Q: Where are advanced system logs?
A: /var/run/log has additional VMkernel, storage, and hardware driver logging.

Q: What file shows post messages during boot
A: The boot log /var/log/boot.msg has post messages output during system initialization.

Q: Where are ESXi Install or Upgrade logs?
A: /var/log/esxi_installation.log records details from OS installation and upgrade operations.

Conclusion

Accessing and interpreting ESXi logs are critical troubleshooting skills for virtual infrastructure. vSphere Client allows monitoring overview of recent operations and events. For detailed technical logs, directly accessing /var/log and /var/run/log directories is needed during system debugging or health checks.

Following log management best practices like shipping to a syslog aggregation system, tracking growth sizes, searching across logs, understanding key logs per component, and correlated related subsystem logs greatly improves efficiency troubleshooting complex performance and stability issues across a large ESXi fleet.

 

Leave a Comment