I got a problem with Syslog traffic from vmware ESXi hosts.

1,582 views
Skip to first unread message

Guido Steiner

unread,
Dec 3, 2014, 2:46:35 AM12/3/14
to flu...@googlegroups.com
Hello all,

I installed fluentd like in this guide here documented. 



it's working great so far with Linux, Cisco and BSD but I have a issue with logs from ESXi Hosts.

I see the traffic in td-agent.log, when I turn on stdout logging but the traffic dosn't show up in Kibana. And it really should show up because it's a awfully lot what esxi is sending to syslog.

What i allready found out is that syslog messages from esx are in UTC time. I corrected that with a entry in my rsyslog so that the time get rewritet. But still I see all other syslog messages from other hosts but not form VMWare ESX.


Here the output from td-agent.log

2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL805","ident":"Vpxa","message":"[62F7DB90 verbose 'vpxavpxaInvtVm' opID=WFU-b4d326b3] [VpxaInvtVmChangeListener] Guest DiskInfo Changed"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL805","ident":"Vpxa","message":"[62F7DB90 verbose 'VpxaHalCnxHostagent' opID=WFU-b4d326b3] [WaitForUpdatesDone] Starting next WaitForUpdates() call to hostd"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL805","ident":"Vpxa","message":"[62F7DB90 verbose 'VpxaHalCnxHostagent' opID=WFU-b4d326b3] [WaitForUpdatesDone] Completed callback"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[2F51CB90 verbose 'SoapAdapter.HTTPService.HttpConnection'] User agent is 'VMware-client/5.1.0'"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[FFE21B90 info 'commonvpxLro' opID=388784ae-31] [VpxLRO] -- BEGIN task-internal-2828899 --  -- vpxapi.VpxaService.queryBatchPerformanceStatistics -- bedc7092-990b-0b57-7273-042089cdea97"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[FFE21B90 verbose 'vpxavpxaMoService' opID=388784ae-31] Adding querySpec. Had=1, has=1"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[FFE21B90 verbose 'vpxavpxaMoService' opID=388784ae-31] Adding querySpec. Had=1, has=1"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[FFE21B90 verbose 'vpxavpxaMoService' opID=388784ae-31] Adding querySpec. Had=1, has=1"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[FFE21B90 verbose 'vpxavpxaMoService' opID=388784ae-31] Adding querySpec. Had=1, has=1"}
2014-12-02 11:39:29 +0100 syslog.local4.info: {"host":"ESXBL905","ident":"Vpxa","message":"[FFE21B90 verbose 'vpxavpxaMoService' opID=388784ae-31] Adding querySpec. Had=1, has=1"}


Would be great if someone can help me with this issue.

Regards
Guido

Guido Steiner

unread,
Dec 3, 2014, 3:18:12 AM12/3/14
to flu...@googlegroups.com
Strange I see the traffic from ESXi when I set the timepicker 6 hours!!! Why do I not see the traffic in the 5min view??

Guido Steiner

unread,
Dec 3, 2014, 3:21:49 AM12/3/14
to flu...@googlegroups.com
Oh looks I found the problem.

I corrected the time from the syslog in rsyslog but the time forwared to fluentd is not corrected..this time is in the past.


How can i change the timestamp in fluentd??


Am Mittwoch, 3. Dezember 2014 08:46:35 UTC+1 schrieb Guido Steiner:

Mr. Fiber

unread,
Dec 3, 2014, 6:04:17 AM12/3/14
to flu...@googlegroups.com
Hmm... fluentd parses a time and converts it to epoch internally.
How about changing timezone setting in the Kibana panel?
I'm not a Kibana user but I saw such configuration before.

Or set time string with timezone to @timestamp field before fluent-plugin-elasticsearch.
if a record has @timestamp field, Elasticsearch plugin keeps its field.



Masahiro

--
You received this message because you are subscribed to the Google Groups "Fluentd Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fluentd+u...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Guido Steiner

unread,
Dec 3, 2014, 6:20:39 AM12/3/14
to flu...@googlegroups.com
do you have a example how this is done?

Or set time string with timezone to @timestamp field before fluent-plugin-elasticsearch.
if a record has @timestamp field, Elasticsearch plugin keeps its field.

Changing timezone would not help since other server sends the time in cet and not utc 

Guido Steiner

unread,
Dec 3, 2014, 7:10:22 AM12/3/14
to flu...@googlegroups.com
Puh I fixed it !!!

Eureka

I put this into rsyslog:

$template myFormat,"<%pri%>%timegenerated:::mysql% %HOSTNAME% %syslogtag% %msg%\n"
*.* @127.0.0.1:42185;myFormat


Am Mittwoch, 3. Dezember 2014 08:46:35 UTC+1 schrieb Guido Steiner:

Mr. Fiber

unread,
Dec 4, 2014, 5:07:22 AM12/4/14
to flu...@googlegroups.com
Ah, good to hear that.
We will organize timezone handling information when I have time.


--
Reply all
Reply to author
Forward
0 new messages