Where are VM logs?

Virtual machine (VM) logs provide critical insights into the performance and operations of VMs. Knowing where these logs are located enables admins to troubleshoot issues, monitor resource usage, and optimize configurations. This article covers common VM log locations across major virtualization platforms.

Where are VM logs?

VMware vSphere ESXi

VMware vSphere uses ESXi hypervisors to run virtual machines. ESXi logging and vCenter server logging offer visibility into VM operations.

Key vSphere log locations:

  • ESXi host: /var/log/ on the ESXi host contains logs for the hypervisor and all VMs. Examine hostd.log, vmkernel.log, and per-VM logs.
  • vCenter Server: Logs are under /var/log/vmware/ and provide orchestration, management, and rotation using vCenter. Check key logs like vpxd.log.

Enable advanced logging: vSphere Advanced Logging allows granular log configurations per component through the vSphere GUI.

Key vSphere Log Files

  • hostd.log – ESXi host daemon operations
  • vmkernel.log – Kernel and management operations
  • VM_Name.log – Individual VM guest OS logs

Log analysis tools: vRealize Log Insight centralizes vSphere logs for analysis and alerts.

Microsoft Hyper-V

Microsoft Hyper-V generates extensive logs to troubleshoot VM performance issues and Hyper-V host server problems.

Hyper-V log locations

  • Hyper-V host: Directory C:\Windows\System32\winevt\Logs\ contains administrator, operator, and Analytic logs.
  • Individual VMs: Virtual machine configuration files each have associated log files as well called VMMS_*.log files.

Key Hyper-V host log sources

  • Administrative Events – Hyper-V manager operations
  • Microsoft-Windows-Hyper-V-Worker-Admin – Background management tasks
  • Microsoft-Windows-Hyper-V-VmSwitch-Operation – Virtual switch events

Enable advanced logging: Use PowerShell cmdlets like Enable-VMResourceMetering to start resource utilization logging.

Oracle VM VirtualBox

Oracle VM VirtualBox is a free, open-source hypervisor popular for developer VMs. Tracking down issues means checking the logs.

VirtualBox log locations

The directory holding all VirtualBox VM logs, disk images and configurations depends on host OS:

  • Windows: C:\Users\{user}\VirtualBox VMs\
  • macOS: /Users/{user}/VirtualBox VMs/
  • Linux: /home/{user}/VirtualBox VMs/

Key VirtualBox log files

  • VBox.log – Global VirtualBox operations
  • VM Name/{VM Name}.log – Logs for each VM guest OS

Log analysis: Use VBoxManage debuglog to inspect detailed logs. On Linux/macOS, monitor real-time logs via tail -f VBox.log.


AWS EC2 instances run inside a hypervisor without access to the host. CloudTrail and CloudWatch Logs record instance activity.

EC2 log locations

  • CloudTrail: Account activity log including EC2 API calls
  • CloudWatch Logs: Individual log files from EC2 instances and systems
  • EC2 Instance: /var/log/ inside the instance contains guest OS logs

Key EC2 CloudWatch log types

  • /var/log/messages – Global Linux/Unix syslog events
  • /var/log/secure – Authentication events
  • /var/log/cloud-init-output.log – EC2 initialization

EC2 log analysis: CloudWatch Logs Insights performs log queries across services. EC2 Console also displays key events.

Key Takeaways

  • Virtual machine logs provide critical insights for troubleshooting and monitoring.
  • VMware vSphere uses hostd.log, vmkernel.log and per-VM logs under /var/log/.
  • Microsoft Hyper-V records administrator and per-VM logs under C:\Windows\System32\winevt\Logs\.
  • VirtualBox logs system operations to VBox.log and per-VM logs in individual VM folders.
  • AWS EC2 instances use CloudWatch Logs and CloudTrail for activity logging and analysis.

Understanding the available logging from a virtualization platform is key for proper troubleshooting and monitoring.


Virtual machine logs provide an essential window into system health, resource usage, and operational events. Key hypervisor platforms provide logging – like vSphere’s ESXi daemon logs, Hyper-V’s administrator channels, VirtualBox’s system logs, and AWS EC2 CloudTrail events.

Checking log location documentation saves admins critical time during system outages or performance problems. Whether optimizing VM configurations or diagnosing host issues, access to log data delivers the actionable insights to resolve problems quickly and understand ongoing resource usage trends.

Frequently Asked Questions

Q: What key information is in VM logs?
A: VM logs record operations, events, and errors related to guest VM performance, host resource usage, networking, storage, authorization, system health metrics, uptime monitoring, and more.

Q: Where does vSphere store VM logs?
A: vSphere hypervisors (ESXi hosts) store logs in /var/log/ including hostd.log, vmkernel.log, and individual .log files for each guest VM. vCenter server aggregates logs for analysis.

Q: How long are VM logs retained in Hyper-V?
A: Microsoft Hyper-V typically stores logs for 7 days by default, but this can be customized to retain event data for longer periods.

Q: What troubleshooting insights does VirtualBox logging provide?
A: The VirtualBox system log VBox.log shows host resource allocation/usage, device attachments, VM configuration changes, crashes and stops. Per-VM logs record detailed guest events.

Q: Where does AWS EC2 store cloud instance logs?
A: AWS EC2 instances write logs to /var/log/ internally. CloudWatch Logs and CloudTrail record EC2 operations, performance, resource usage, system events, user actions and API calls externally.

Q: What tools analyze VM logs?
A: Log analysis tools like vRealize Log Insight (vSphere), CloudWatch Logs Insights (AWS), and Microsoft Log Analytics provide search queries, dashboards and alerts from VM log data.

Q: How quickly can new log files be searched?
A: Solutions like vRealize Log Insight and CloudWatch Logs provide real-time streaming of log data to enable search queries of latest events in seconds. Historical data is also available for trend analysis.

Q: What security insights do VM logs provide?

A: Authentication events, access logs, system calls, vmconfig file changes and network traffic logs allow analysis of VM vulnerabilities, exploits, policy violations and malware activity.

Q: How long should VM logs be retained?
A: Most organizations retain VM logs from 7 days up to a month online for immediate analysis and longer term keep 1-2 years of compressed log history for compliance, forensics and trend analysis.

Q: What compliance regulations cover VM logging?
A: HIPAA, PCI DSS, SOX, SEC 17a-4(f), and data privacy regulations have data retention and auditing standards that require historical VM infrastructure logging.

Q: Where are Windows event logs located on Hyper-V?
A: On Hyper-V Server, Windows event logs are stored in the C:\Windows\System32\winevt\Logs\ folder including admin, operator and analytic log channels.

Q: How can I monitor real-time VirtualBox logs?
A: On Linux/macOS, use the tail Unix command like tail -f /Users/{user}/VirtualBox VMs/VBox.log to stream live VirtualBox log data to the terminal.

Q: What EC2 instance logs show application errors?
A: Application stderr/stdout logs are sent to /var/log/messages. The /var/log/cloud-init-output.log captures cloud-init application failures during EC2 instance provisioning.

Q: Can you search log data across VMs?
A: Yes, aggregator tools like vRealize Log Insight, Elastic Stack, Splunk and Azure Monitor enable data queries across hosts, VMs and cloud instances based on timestamps, keywords and correlation analysis.

Q: How long does AWS CloudTrail retain activity logs?
A: AWS CloudTrail retains log event data for 90 days in the CloudTrail console for search/analysis. For longer term access, export data to S3 bucket storage.

Q: Can you customize vSphere ESXi logging?
A: Yes, vSphere ESXi allows granular configuration of log settings, sizes and rotations through Advanced System Logging in the vSphere GUI or ESX CLI.

Q: What are best practices for VM log management?
A: Set proper log rotations, forward logs to storage/analysis tools, monitor capacity, establish data retention policies, and validate log integrity with hashing or blockchain-based approaches.

Leave a Comment