{"id":1779,"date":"2026-01-19T23:20:41","date_gmt":"2026-01-20T05:20:41","guid":{"rendered":"https:\/\/zewwy.ca\/?p=1779"},"modified":"2026-01-19T23:42:12","modified_gmt":"2026-01-20T05:42:12","slug":"vcenter-syslog-rsyslog","status":"publish","type":"post","link":"https:\/\/zewwy.ca\/index.php\/2026\/01\/19\/vcenter-syslog-rsyslog\/","title":{"rendered":"vCenter syslog\/rsyslog"},"content":{"rendered":"<p>So, in my previous post I discussed troubleshooting the wd in wdpath already exists log error. However, the root issue there may have been determined and resolved&#8230; but the question arises&#8230; do we need to ship that much logs?<\/p>\n<p>What are all these log files for?<\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"High%E2%80%91Level_Overview\"><\/span>High\u2011Level Overview<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>Every file listed is part of <strong>vCenter Server\u2019s syslog configuration<\/strong>. Each <code>vmware-services-*.conf<\/code> file tells the syslog collector which logs belong to which internal service. These logs fall into categories like:<\/p>\n<ul>\n<li><strong>UI \/ Client logs<\/strong><\/li>\n<li><strong>SSO &amp; Identity logs<\/strong><\/li>\n<li><strong>vCenter core services (vpxd, vmon, vapi, etc.)<\/strong><\/li>\n<li><strong>Database logs (Postgres, vtsdb)<\/strong><\/li>\n<li><strong>vSAN Health<\/strong><\/li>\n<li><strong>Networking (rhttpproxy, netdumper)<\/strong><\/li>\n<li><strong>Appliance management (applmgmt, cloudvm)<\/strong><\/li>\n<\/ul>\n<p>Below is a readable breakdown of what each group of log files does.<\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%93%98_Detailed_Breakdown_by_Service\"><\/span>\ud83d\udcd8 Detailed Breakdown by Service<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%8E%A8_vSphere_UI_HTML5_Client\"><\/span>\ud83c\udfa8 <strong>vSphere UI \/ HTML5 Client<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Files under <code>\/storage\/log\/vmware\/vsphere-ui\/logs\/<\/code><\/p>\n<p>These logs cover everything related to the vSphere Client (the HTML5 UI):<\/p>\n<div>\n<div>\n<table>\n<thead>\n<tr>\n<th>Log<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>vsphere_client_virgo.log<\/code><\/td>\n<td>Main UI application server (Virgo) log<\/td>\n<\/tr>\n<tr>\n<td><code>changelog.log<\/code><\/td>\n<td>UI plugin\/component change tracking<\/td>\n<\/tr>\n<tr>\n<td><code>dataservice.log<\/code><\/td>\n<td>Backend data service used by UI<\/td>\n<\/tr>\n<tr>\n<td><code>apigw.log<\/code><\/td>\n<td>API gateway for UI requests<\/td>\n<\/tr>\n<tr>\n<td><code>equinox.log<\/code><\/td>\n<td>OSGi framework logs<\/td>\n<\/tr>\n<tr>\n<td><code>eventlog.log<\/code><\/td>\n<td>UI event processing<\/td>\n<\/tr>\n<tr>\n<td><code>httpRequest.log<\/code><\/td>\n<td>HTTP request logs<\/td>\n<\/tr>\n<tr>\n<td><code>opid.log<\/code><\/td>\n<td>Operation IDs for tracing UI actions<\/td>\n<\/tr>\n<tr>\n<td><code>performanceAudit.log<\/code><\/td>\n<td>UI performance metrics<\/td>\n<\/tr>\n<tr>\n<td><code>plugin-medic.log<\/code><\/td>\n<td>Plugin health &amp; validation<\/td>\n<\/tr>\n<tr>\n<td><code>threadmonitor.log<\/code><\/td>\n<td>Thread health monitoring<\/td>\n<\/tr>\n<tr>\n<td><code>threadpools.log<\/code><\/td>\n<td>Thread pool usage<\/td>\n<\/tr>\n<tr>\n<td><code>vspheremessaging.log<\/code><\/td>\n<td>Messaging subsystem<\/td>\n<\/tr>\n<tr>\n<td><code>vsphere-ui-rpm.log<\/code><\/td>\n<td>UI package\/runtime logs<\/td>\n<\/tr>\n<tr>\n<td><code>vsphere-ui-runtime*<\/code><\/td>\n<td>Runtime stdout\/stderr<\/td>\n<\/tr>\n<tr>\n<td><code>access\/localhost_access_log.txt<\/code><\/td>\n<td>Web access logs<\/td>\n<\/tr>\n<tr>\n<td><code>vsphere-ui-gc*<\/code><\/td>\n<td>Java garbage collection<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%94%90_SSO_Identity_Services\"><\/span>\ud83d\udd10 <strong>SSO \/ Identity Services<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Files under <code>\/storage\/log\/vmware\/sso\/<\/code>, <code>\/storage\/log\/vmware\/vmdir\/<\/code>, <code>\/storage\/log\/vmware\/vmafd\/<\/code><\/p>\n<p>These logs relate to authentication, identity, certificates, and tokens:<\/p>\n<div>\n<div>\n<table>\n<thead>\n<tr>\n<th>Log<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code>activedirectoryservice.log<\/code><\/td>\n<td>AD integration<\/td>\n<\/tr>\n<tr>\n<td><code>lookupsvc-init.log<\/code><\/td>\n<td>Lookup service initialization<\/td>\n<\/tr>\n<tr>\n<td><code>openidconnect.log<\/code><\/td>\n<td>OIDC authentication<\/td>\n<\/tr>\n<tr>\n<td><code>ssoAdminServer.log<\/code><\/td>\n<td>SSO admin operations<\/td>\n<\/tr>\n<tr>\n<td><code>svcaccountmgmt.log<\/code><\/td>\n<td>Service account management<\/td>\n<\/tr>\n<tr>\n<td><code>tokenservice.log<\/code><\/td>\n<td>Token issuance<\/td>\n<\/tr>\n<tr>\n<td><code>sts-health-status.log.*<\/code><\/td>\n<td>STS health<\/td>\n<\/tr>\n<tr>\n<td><code>sts-runtime.log.*<\/code><\/td>\n<td>STS runtime<\/td>\n<\/tr>\n<tr>\n<td><code>gclogFile.*.current<\/code><\/td>\n<td>JVM GC<\/td>\n<\/tr>\n<tr>\n<td><code>tomcat\/localhost_access.log<\/code><\/td>\n<td>SSO Tomcat access<\/td>\n<\/tr>\n<tr>\n<td><code>vmdir\/*.log<\/code><\/td>\n<td>Directory service (LDAP-like)<\/td>\n<\/tr>\n<tr>\n<td><code>vmafd\/*.log<\/code><\/td>\n<td>Authentication framework<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%A9_vCenter_Core_Services\"><\/span>\ud83e\udde9 <strong>vCenter Core Services<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>vpxd (vCenter Server daemon)<\/strong><\/p>\n<p>These are commented out in your file, but normally include:<\/p>\n<ul>\n<li><code>vpxd.log<\/code> \u2014 main vCenter service log<\/li>\n<li><code>vpxd-profiler-*.log<\/code> \u2014 performance profiling<\/li>\n<\/ul>\n<p><strong>vmon<\/strong><\/p>\n<p>Manages service lifecycle:<\/p>\n<ul>\n<li><code>vmon.log<\/code><span style=\"font-size: 1rem;\"> \u2014 service manager log<\/span><\/li>\n<li><code>vmon-vapi-provider-0.log<\/code><span style=\"font-size: 1rem;\"> \u2014 VAPI provider logs<\/span><\/li>\n<\/ul>\n<p><strong>vapi<\/strong><\/p>\n<p>API endpoint logs:<\/p>\n<ul>\n<li><code>endpoint.log<\/code><span style=\"font-size: 1rem;\"> \u2014 main API endpoint<\/span><\/li>\n<li><code>endpoint-access.log<\/code><span style=\"font-size: 1rem;\"> \u2014 API access logs<\/span><\/li>\n<li><code>jetty.log<\/code><span style=\"font-size: 1rem;\"> \u2014 Jetty web server<\/span><\/li>\n<li><code>vcentershim.log<\/code><span style=\"font-size: 1rem;\"> \u2014 vCenter API shim<\/span><\/li>\n<li><code>vmodl2swagger.log<\/code><span style=\"font-size: 1rem;\"> \u2014 API schema conversion<\/span><\/li>\n<li><code>vmware-vapi-endpoint-gc.log.*<\/code><span style=\"font-size: 1rem;\"> \u2014 GC logs<\/span><\/li>\n<li><code>vmware-vapi-endpoint.std*<\/code> \u2014 stdout\/stderr<\/li>\n<\/ul>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%93%8A_Analytics_Telemetry\"><\/span>\ud83d\udcca <strong>Analytics \/ Telemetry<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><code>analytics.log<\/code><span style=\"color: #c8c3bc; font-size: 1rem; --darkreader-inline-color: var(--darkreader-text-c8c3bc, #c2bcb4);\" data-darkreader-inline-color=\"\"> \u2014 analytics service<\/span><\/li>\n<li><code>analytics-runtime.log.std*<\/code><span style=\"color: #c8c3bc; font-size: 1rem; --darkreader-inline-color: var(--darkreader-text-c8c3bc, #c2bcb4);\" data-darkreader-inline-color=\"\"> \u2014 runtime logs<\/span><\/li>\n<\/ul>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%B1_vSAN_Health\"><\/span>\ud83e\uddf1 <strong>vSAN Health<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><code>vmware-vsan-health-service.log<\/code> \u2014 main vSAN health service<\/li>\n<li><code>vmware-vsan-health-runtime.log.*<\/code><span style=\"font-size: 1rem;\"> \u2014 runtime logs<\/span><\/li>\n<li><code>vsanvcmgmtd-*.log<\/code> \u2014 vSAN cluster mgmt<\/li>\n<\/ul>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%97%84%EF%B8%8F_Database_Services\"><\/span>\ud83d\uddc4\ufe0f <strong>Database Services<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Postgres (vPostgres)<\/strong><code><\/code><\/p>\n<ul>\n<li><code>serverlog.std*<\/code> \u2014 main DB log<\/li>\n<li><code>postgresql-*.log<\/code><span style=\"font-size: 1rem;\"> \u2014 DB engine<\/span><\/li>\n<\/ul>\n<p><span style=\"font-size: 1rem;\"><strong>logsvtsdb<\/strong><br \/>\n<\/span><\/p>\n<ul>\n<li><span style=\"font-size: 1rem;\">vtsdb-runtime.log.std*<br \/>\n<\/span><\/li>\n<li><span style=\"font-size: 1rem;\">runtime\u00a0 postgresql-*.log \u2014 DB logs<\/span><\/li>\n<\/ul>\n<p><strong>Postgres Archiver<\/strong><\/p>\n<ul>\n<li><code>pg_archiver.log.std*<\/code> \u2014 WAL archiving<\/li>\n<\/ul>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%94%A7_Lifecycle_Manager_vLCM\"><\/span>\ud83d\udd27 Lifecycle Manager (vLCM)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>lcm_common.log \u2014 core LCM operations<\/li>\n<li>task_executor.log \u2014 task execution<\/li>\n<li>twisted_server.log \u2014 Python-based server<\/li>\n<li>vlcm_db.log \u2014 LCM database<\/li>\n<li>vlcm-runtime.log.* \u2014 runtime logs<\/li>\n<\/ul>\n<div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%AA_vSphere_ESX_Agent_Manager_EAM\"><\/span>\ud83e\uddea vSphere ESX Agent Manager (EAM)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>eam.log \u2014 main EAM service<\/li>\n<li>web\/*.log \u2014 Tomcat logs<\/li>\n<li>jvm.log.* \u2014 JVM logs<\/li>\n<li>eam_firstboot.py*.log \u2014 first boot<\/li>\n<\/ul>\n<\/div>\n<div>\n<p>The EAM log refers to the log files generated by the VMware ESX Agent Manager (EAM) service.<br \/>\nEAM is a core vCenter component responsible for deploying and managing ESX agents, which are small helper VMs or services used by features such as:<\/p>\n<p>vSphere Lifecycle Manager (vLCM)<br \/>\nvSphere Storage I\/O Control<br \/>\nvSphere Network I\/O Control<br \/>\nvSAN \/ vCLS agents<br \/>\nThird\u2011party extensions that deploy agents to ESXi hosts<\/p>\n<p>Search results confirm that EAM logs live in \/var\/log\/vmware\/eam\/ and are used for diagnostics and troubleshooting.<\/p>\n<p style=\"text-align: center;\">\ud83d\udcd8 What EAM logs contain<\/p>\n<p>1. eam.log \u2014 Main service log<br \/>\nThis is the primary log file for the ESX Agent Manager.<\/p>\n<p>It records:<\/p>\n<p>Service startup and shutdown<br \/>\nAgent deployment and lifecycle events<br \/>\nCommunication with vCenter and ESXi hosts<br \/>\nPlugin\/extension registration<br \/>\nErrors when EAM cannot deploy or manage agents<br \/>\nFailures related to vCLS or vSAN agent VMs<br \/>\nSearch results show examples of EAM startup failures and configuration errors logged in eam.log.<\/p>\n<p>2. Web access logs (web\/localhost_access.log)<br \/>\nThese track:<\/p>\n<p>HTTP requests to the EAM web service<br \/>\nMOB (Managed Object Browser) access<br \/>\nAPI calls from vCenter or extensions<br \/>\nMentioned in STIG guidance for EAM logging.<\/p>\n<p>3. JVM logs (jvm.log, wrapper.log)<br \/>\nThese capture:<\/p>\n<p>Java runtime errors<br \/>\nMemory issues<br \/>\nCrashes or fatal exceptions<br \/>\nExamples of JVM startup failures appear in VMware KB articles<\/p>\n<\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%8C%90_Networking_Proxy_Services\"><\/span>\ud83c\udf10 <strong>Networking &amp; Proxy Services<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>rhttpproxy<\/strong><\/p>\n<ul>\n<li><code>rhttpproxy-*.log<\/code> \u2014 reverse proxy logs<\/li>\n<\/ul>\n<p><strong>netdumper<\/strong><\/p>\n<ul>\n<li><code>netdumer.log<\/code> \u2014 ESXi dump collector<\/li>\n<li><code>webserver.log<\/code> \u2014 web interface<\/li>\n<\/ul>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%B0_Content_Library\"><\/span>\ud83e\uddf0 <strong>Content Library<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><code>cls.log<\/code> \u2014 content library service<\/li>\n<\/ul>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%93%88_Perfcharts\"><\/span>\ud83d\udcc8 Perfcharts<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>stats.log \u2014 performance charts<\/p>\n<ul>\n<li>localhost_access_log.txt \u2014 access logs<\/li>\n<li>vmware-perfcharts-gc.log.* \u2014 GC logs<\/li>\n<li>vmware-perfcharts-runtime.log.std* \u2014 runtime<\/li>\n<\/ul>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%AD_Lookup_Service\"><\/span>\ud83e\udded Lookup Service<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>lookupserver-default.log \u2014 main lookup service<\/li>\n<li>lookupServer.log \u2014 operations<\/li>\n<li>lookupsvc_stream.log.std* \u2014 runtime<\/li>\n<li>vmware-lookupservice-perf.log \u2014 performance<\/li>\n<li>vmware-lookupsvc-gc.log.* \u2014 GC<\/li>\n<\/ul>\n<h3 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%A9_vpxd-svcs_vCenter_Support_Services\"><\/span>\ud83e\udde9 vpxd-svcs (vCenter Support Services)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li>vpxd-svcs.log \u2014 main<\/li>\n<li>authz-event.log \u2014 authorization events<\/li>\n<li>startup-error.log \u2014 startup failures<\/li>\n<li>vpxd-svcs-access*.log \u2014 access logs<\/li>\n<li>vpxd-svcs-runtime.log.* \u2014 runtime<\/li>\n<li>perf.log \u2014 performance<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%9B%A1%EF%B8%8F_Trust_Management\"><\/span>\ud83d\udee1\ufe0f Trust Management<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li>trustmanagement-runtime.log.std* \u2014 runtime<\/li>\n<li>trustmanagement-svcs.log \u2014 trust services<\/li>\n<li>vmware-trustmanagement-gc.log.* \u2014 GC<\/li>\n<\/ul>\n<p style=\"text-align: center;\">\ud83d\udd10 Trust Management Service \u2014 Tight Summary<\/p>\n<p style=\"text-align: left;\">Trustmanagement is a core vCenter service that maintains the trust relationships between all internal components. It ensures that certificates, tokens, and service\u2011to\u2011service authentication are valid and secure.<\/p>\n<p>What it handles:<\/p>\n<p>Certificate chain validation<br \/>\nTrust checks between vCenter services<br \/>\nToken verification (STS\/SSO)<br \/>\nSecurity posture and compliance signals<\/p>\n<p>What its logs show:<\/p>\n<p>Certificate or trust failures<br \/>\nService registration\/authentication issues<br \/>\nToken validation errors<br \/>\nStartup\/shutdown and internal health<\/p>\n<p>Why it matters:<br \/>\nIf trustmanagement breaks, you may see:<\/p>\n<p>vCenter login failures<br \/>\nSTS token errors<br \/>\nCertificate replacement problems<br \/>\nServices stuck in \u201cNot Running\u201d<br \/>\nUpgrade failures due to trust issues<\/p>\n<p>What it does NOT do:<\/p>\n<p>Track user logins<br \/>\nRecord user actions<br \/>\nProvide audit logs<\/p>\n<p>It\u2019s purely about internal vCenter security plumbing, not end\u2011user activity.<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%A9_Pod_Service\"><\/span>\ud83e\udde9 <strong>Pod Service<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><code>pod-service.log<\/code> \u2014 pod mgmt<\/li>\n<li><code>pod-console.log<\/code> \u2014 console<\/li>\n<li><code>pod-startup.log<\/code> \u2014 startup<\/li>\n<li><code>pod-install*.log<\/code> \u2014 install<\/li>\n<li><code>pod-update*.log<\/code> \u2014 updates<\/li>\n<\/ul>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%B0_Appliance_Management_VAMI\"><\/span>\ud83e\uddf0 <strong>Appliance Management (VAMI)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Files under <code>\/storage\/log\/vmware\/applmgmt\/<\/code> covers:<\/p>\n<ul>\n<li>VAMI web UI<\/li>\n<li>Backup\/restore<\/li>\n<li>Firewall reload<\/li>\n<li>Stats monitor<\/li>\n<li>PNID changes<\/li>\n<li>Lighttpd access\/error logs<\/li>\n<\/ul>\n<p style=\"text-align: center;\">\ud83d\udd0d What the Applmgmt Upgrade Service does<\/p>\n<p>It manages:<\/p>\n<p>VCSA upgrade workflows<br \/>\nPatch installation<br \/>\nPre\u2011upgrade checks<br \/>\nPost\u2011upgrade cleanup<br \/>\nVersion validation<br \/>\nUpgrade\u2011related service orchestration<\/p>\n<p>It\u2019s the engine behind the VAMI (port 5480) upgrade process.<\/p>\n<p style=\"text-align: center;\">\ud83d\udcc1 What logs this syslog config points to<\/p>\n<p>The file typically references logs such as:<\/p>\n<p>applmgmt-upgrade.log \u2014 main upgrade workflow log<br \/>\napplmgmt-upgrade-runtime.log.std* \u2014 stdout\/stderr<br \/>\napplmgmt-upgrade-gc.log.* \u2014 Java garbage collection<\/p>\n<p>These logs capture:<\/p>\n<p>Upgrade steps and progress<br \/>\nValidation checks<br \/>\nErrors during patching or upgrading<br \/>\nService restarts triggered by upgrades<br \/>\nJVM runtime behavior<\/p>\n<p style=\"text-align: center;\">\ud83e\udded When these logs matter<\/p>\n<p>You check these logs when:<\/p>\n<p>A VCSA upgrade fails<br \/>\nPatching stops mid\u2011process<br \/>\nPre\u2011upgrade checks report errors<br \/>\nThe VAMI UI shows upgrade failures<br \/>\nServices don\u2019t come back after an upgrade<\/p>\n<div><\/div>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%94%90_Certificate_Management\"><\/span>\ud83d\udd10 <strong>Certificate Management<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<ul>\n<li><code>certificatemanagement-runtime.log.std *<\/code><\/li>\n<li>\u00a0<code>certificatemanagement-svcs.log *<\/code><\/li>\n<li><code>vmware-certificatemanagement-gc.log.*<\/code><\/li>\n<\/ul>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%A9_SCA_Secure_Configuration_Assistant\"><\/span>\ud83e\udde9 SCA = Secure Configuration Assistant<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>A vCenter subsystem responsible for security posture checks, certificate validation, and secure configuration enforcement.<\/p>\n<p>It\u2019s part of the broader vCenter security framework that also includes:<\/p>\n<p>Certificate Management (certmgmt)<br \/>\nVMCA (VMware Certificate Authority)<br \/>\nSTS (Security Token Service)<br \/>\nPSC identity services (in older versions)<\/p>\n<p style=\"text-align: center;\">\ud83e\udde9 What SCA actually does<\/p>\n<p style=\"text-align: center;\">\ud83d\udee1\ufe0f 1. Security posture checks<\/p>\n<p style=\"text-align: center;\">It evaluates whether vCenter components are configured securely, including:<\/p>\n<p>TLS\/SSL settings<br \/>\nCertificate validity<br \/>\nService trust relationships<br \/>\nCryptographic compliance<\/p>\n<p style=\"text-align: center;\">\ud83d\udd0f 2. Certificate and trust validation<\/p>\n<p>It works closely with:<\/p>\n<p>VMCA<br \/>\ncertmgmt<br \/>\nSTS<\/p>\n<p>to ensure that:<\/p>\n<p>Certificates are valid<br \/>\nTrust chains are intact<br \/>\nServices can authenticate to each other<\/p>\n<p style=\"text-align: center;\">\ud83e\udded 3. Compliance reporting<\/p>\n<p>SCA feeds data into:<\/p>\n<p>vCenter security health checks<br \/>\nvSphere Client \u201cSecurity\u201d view<br \/>\nSome VAMI security status pages<\/p>\n<p style=\"text-align: center;\">\ud83d\udcc1 Where you see SCA in logs<\/p>\n<p>You\u2019ll typically find SCA logs under:<\/p>\n<p>Code<br \/>\n\/storage\/log\/vmware\/sca\/<br \/>\nCommon files include:<\/p>\n<p>sca.log \u2014 main service log<br \/>\nsca-runtime.log.std* \u2014 stdout\/stderr<br \/>\nsca-gc.log.* \u2014 Java garbage collection<\/p>\n<p>These logs show:<\/p>\n<p>Security scan results<br \/>\nCertificate validation failures<br \/>\nTrust chain issues<br \/>\nService authentication problems<br \/>\nStartup\/shutdown of the SCA service<\/p>\n<p style=\"text-align: center;\">\ud83e\udded When SCA logs matter<\/p>\n<p>You check SCA logs when:<\/p>\n<p>vCenter shows certificate warnings<br \/>\nServices fail to register due to trust issues<br \/>\nYou see \u201cvCenter is not secure\u201d alerts<br \/>\nSTS token problems appear<\/p>\n<p>vCenter upgrades fail due to certificate or trust chain issues<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%9B%A1%EF%B8%8F_File_Integrity_Service_%E2%80%94_Tight_Summary\"><\/span>\ud83d\udee1\ufe0f File Integrity Service \u2014 Tight Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The fileintegrity syslog config points to logs generated by vCenter\u2019s File Integrity Service, which monitors critical system files for unauthorized or unexpected changes.<\/p>\n<p>What it does<\/p>\n<ul>\n<li>Checks hashes of important vCenter files<\/li>\n<li>Detects tampering, corruption, or unexpected modifications<\/li>\n<li>Flags security\u2011relevant integrity issues<\/li>\n<\/ul>\n<p>What its logs contain<\/p>\n<ul>\n<li>Integrity scan results<\/li>\n<li>File change alerts<\/li>\n<li>Hash mismatches<\/li>\n<li>Service errors and startup info<\/li>\n<li>JVM runtime and memory behavior (via runtime + GC logs)<\/li>\n<\/ul>\n<p>Why it matters<\/p>\n<ul>\n<li>Helps detect compromise or corruption of vCenter<\/li>\n<li>Useful for SOC teams as security telemetry<\/li>\n<li>Not related to user activity or audit logging<\/li>\n<\/ul>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"%F0%9F%A7%B5_threadmonitorlog_%E2%80%94_Tight_Summary\"><\/span>\ud83e\uddf5 threadmonitor.log \u2014 Tight Summary<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>threadmonitor.log is part of the vSphere UI service (the HTML5 vSphere Client).<br \/>\nThis log tracks thread health and performance inside the UI service\u2019s Java application.<br \/>\nIt\u2019s essentially a watchdog that monitors whether internal threads are running normally or getting stuck.<\/p>\n<p style=\"text-align: center;\">\ud83d\udd0d What it records<\/p>\n<p>Thread stalls or deadlocks<br \/>\nLong\u2011running or hung operations<br \/>\nUI service performance issues<br \/>\nThread pool exhaustion<br \/>\nJava exceptions related to thread execution<br \/>\nInternal timing or responsiveness problems<\/p>\n<p>It\u2019s a diagnostic log for the vsphere-ui backend, not for user activity.<\/p>\n<p style=\"text-align: center;\">\ud83e\udded When this log matters<\/p>\n<p>You check threadmonitor.log when:<\/p>\n<p>The vSphere Client is slow or unresponsive<br \/>\nPages hang or fail to load<br \/>\nUI freezes during tasks<br \/>\nYou suspect backend thread starvation<br \/>\nThe vsphere-ui service crashes or restarts<\/p>\n<p>It\u2019s especially useful when troubleshooting UI performance issues.<\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Disable_Unwanted_Logs\"><\/span>Disable Unwanted Logs<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>This is obviously a balancing act between what you feel is needed to be forwarded, and what is not required depending on destination logging capabilities. Note comenting out these lines only stops the forwarding of the logs to the syslog destination, it does not stop the local logging of these services. That is out of scope of this blog post.<\/p>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vsphere-ui.conf<\/strong><\/em><\/p>\n<p>Disable all except:<br \/>\nFile=&#8221;\/storage\/log\/vmware\/vsphere-ui\/logs\/access\/localhost_access_log.txt&#8221;<\/p>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vmcad.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vmcad.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-sso-services.conf<\/strong><\/em><\/p>\n<p>just these:<\/p>\n<div>\/storage\/log\/vmware\/sso\/sts-health-status.log.* \/storage\/log\/vmware\/sso\/sts-runtime.log.* \/storage\/log\/vmware\/sso\/gclogFile.*.current \/storage\/log\/vmware\/sso\/tomcat\/localhost_access.log<\/div>\n<div><\/div>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vsm.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/'\u00a0\/etc\/vmware-syslog\/vmware-services-vsm.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vpxd.conf<\/strong><\/em><\/p>\n<p><strong>KEEP<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>File=\"\/storage\/log\/vmware\/vpxd\/vpxd-*.log\"\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>There are a lot of vpxLRO logs generated by this, but there appears to no other granual controls at the source level (these rsyslog imfile config), so not sure about filtering these outside of transforms at the other syslog\/rsyslog\/lostash service that is receiving these logs.<\/p>\n<p><strong>DISABLE<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>File=\"\/storage\/log\/vmware\/vpxd\/vpxd-profiler-*.log\"<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-infraprofile-syslog.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-infraprofile-syslog.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vmware-postgres-archiver.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vmware-postgres-archiver.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vsan-health.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vsan-health.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-envoy.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-envoy.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-sps.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-sps.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-analytics.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-analytics.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vcha.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vcha.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vmon.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vmon.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vstats.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vstats.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-certmgmt.conf<\/strong><\/em><\/p>\n<p>Disable these if you don&#8217;t want to see the certificate management stuff, could be useful in certain situations, configure per your own needs. For my testing I will disable them for now.<\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-certmgmt.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-eam.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-eam.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vapi.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vapi.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vtsdb.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vtsdb.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-observability.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-observability.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-cloudvm.conf<\/strong><\/em><\/p>\n<pre>\/etc\/vmware-syslog\/vmware-services-cloudvm.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vlcm.conf<\/strong><\/em><\/p>\n<p>Lifecycle manager, if you need to log server update logs. I don&#8217;t for my case so I&#8217;ll disable them, this change is up to your needs<\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vlcm.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-pod.conf<\/strong><\/em><\/p>\n<p>Kubernetes, if you want to track that stuff. My case again, nope so I&#8217;ll disable them all. this will depend on your needs.<\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-pod.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-sca.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-sca.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-trustmanagement.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-trustmanagement.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-netdumper.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-netdumper.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vmware-vpostgres.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vmware-vpostgres.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-updatemgr.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-updatemgr.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-fileintegrity.conf<\/strong><\/em><\/p>\n<p>Another subjective one to send or not&#8230;.For my test I&#8217;ll disable them<\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-fileintegrity.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-applmgmt-upgrade.conf<\/strong><\/em><\/p>\n<p>For my test I&#8217;ll disable these<\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-applmgmt-upgrade.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-content-library.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-content-library.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vpxd-svcs.conf<\/strong><\/em><\/p>\n<p>\u2714\ufe0f <strong>KEEP<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>\/storage\/log\/vmware\/vpxd-svcs\/authz-event.log\r\n\/storage\/log\/vmware\/vpxd-svcs\/vpxd-svcs-access*.log\r\n<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>\u274c <strong>DISABLE<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>\/storage\/log\/vmware\/vpxd-svcs\/vpxd-svcs.log\r\n\/storage\/log\/vmware\/vpxd-svcs\/startup-error.log\r\n\/storage\/log\/vmware\/vpxd-svcs\/vpxd-svcs-runtime.log.stdout\r\n\/storage\/log\/vmware\/vpxd-svcs\/vpxd-svcs-runtime.log.stderr\r\n\/storage\/log\/vmware\/vpxd-svcs\/perf.log<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vsphere-ui-imlegit.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vsphere-ui-imlegit.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-vdtc.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vdtc.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-cis-license.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-cis-license.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-perfcharts.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-perfcharts.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-applmgmt.conf<\/strong><\/em><\/p>\n<p>\u2705 <strong>KEEP<\/strong><\/p>\n<div>\n<div>\n<div>\n<pre><code>\/storage\/log\/vmware\/applmgmt\/applmgmt.log\r\n\/storage\/log\/vmware\/applmgmt-audit\/applmgmt-audit.log\r\n\/storage\/log\/vmware\/applmgmt-audit\/applmgmt-br-audit.log\r\n\/opt\/vmware\/var\/log\/lighttpd\/access.log\r\n\/opt\/vmware\/var\/log\/lighttpd\/error.log\r\n\/storage\/log\/vmware\/applmgmt\/vami.log\r\n\/storage\/log\/vmware\/applmgmt\/backup.log\r\n\/storage\/log\/vmware\/applmgmt\/restore.log\r\n\/storage\/log\/vmware\/applmgmt\/pnid_change.log<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p>\u274c <strong>DISABLE<\/strong><\/p>\n<div>\n<div class=\"rounded-b-xl bg-background-static-850 px-4 pb-1.5 dark:bg-background-static-900\">\n<div>\n<pre><code>\/storage\/log\/vmware\/applmgmt\/dcui.log\r\n\/storage\/log\/vmware\/applmgmt\/detwist.log\r\n\/storage\/log\/vmware\/applmgmt\/firewall-reload.log\r\n\/storage\/log\/vmware\/applmgmt\/applmgmt_vmonsvc.std*\r\n\/storage\/log\/vmware\/applmgmt\/backupSchedulerCron.log\r\n\/storage\/log\/vmware\/applmgmt\/progress.log\r\n\/storage\/log\/vmware\/applmgmt\/statsmoitor-alarms.log\r\n\/storage\/log\/vmware\/applmgmt\/StatsMonitor-*.log\r\n\/storage\/log\/vmware\/applmgmt\/StatsMonitorStartup.log.std*\r\n\/storage\/log\/vmware\/applmgmt\/PatchRunner.log\r\n\/storage\/log\/vmware\/applmgmt\/update_microservice.log\r\n\/storage\/log\/vmware\/applmgmt\/vcdb_pre_patch.*\r\n\/storage\/log\/vmware\/dnsmasq.log\r\n\/storage\/log\/vmware\/procstate\r\n\/storage\/log\/vmware\/applmgmt\/size.log\r\n\/storage\/log\/vmware\/applmgmt\/reconciliation.log<\/code><\/pre>\n<\/div>\n<\/div>\n<\/div>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-lookupsvc.conf<\/strong><\/em><\/p>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-lookupsvc.conf<\/pre>\n<p><em><strong>\/etc\/vmware-syslog\/vmware-services-rhttpproxy.conf<\/strong><\/em><\/p>\n<p>Keepin these.<\/p>\n<h2 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"TLDR\"><\/span>TLDR<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<pre>sed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-sps.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-analytics.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vcha.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vmon.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vstats.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-certmgmt.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-eam.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vapi.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-observability.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-cloudvm.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vlcm.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-pod.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-trustmanagement.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vmware-vpostgres.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-updatemgr.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-fileintegrity.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-applmgmt-upgrade.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-sca.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-content-library.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-vdtc.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-cis-license.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-perfcharts.conf\r\nsed -i 's\/^\/#\/' \/etc\/vmware-syslog\/vmware-services-lookupsvc.conf<\/pre>\n<p>Testing looking at logs for a VM I created one, checked the logs, yup there it is.. delete it.. uhh where is it (searched by VM name)<\/p>\n<h1><span class=\"ez-toc-section\" id=\"%F0%9F%A7%A9_vCenter_VM_Creation_vs_Deletion_Log_Behavior_%E2%80%94_Summary\"><\/span>\ud83e\udde9 vCenter VM Creation vs. Deletion Log Behavior \u2014 Summary<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<h2><span class=\"ez-toc-section\" id=\"%E2%9C%85_VM_Creation_Always_logged_clearly_in_vpxdlog\"><\/span>\u2705 VM Creation; Always logged clearly in vpxd.log<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Always includes the VM name<\/p>\n<p>Easy to find by searching for the VM name<\/p>\n<p>Example:<\/p>\n<p>Code<br \/>\nCreateVM_Task: Creating VM &#8216;MyCustomVM&#8217;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"%E2%9D%8C_VM_Deletion_Deletion_logs_are_not_symmetrical_with_creation_logs\"><\/span>\u274c VM Deletion; Deletion logs are not symmetrical with creation logs.<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Key facts:<br \/>\nDeletion logs often do NOT include the VM name<br \/>\nInstead, they use the MoRef ID (e.g., vm-1234)<br \/>\nSearching by VM name will NOT find the deletion<\/p>\n<p>The deletion may appear as:<br \/>\nvim.ManagedEntity.destroy<br \/>\nDestroy_Task<br \/>\nUnregister<br \/>\nRemove from inventory<\/p>\n<p>Example:<\/p>\n<p>vim.ManagedEntity.destroy invoked for vm-1234<\/p>\n<p>No name. That\u2019s why you didn\u2019t see it.<\/p>\n<p>\u2b50 Why the name is missing<\/p>\n<p>When vCenter deletes a VM:<br \/>\nIt removes the VM object from inventory<br \/>\nThen logs the destroy event<br \/>\nThe name is already gone, so the log can\u2019t include it<\/p>\n<p>This is normal (and frustrating) vCenter behavior.<\/p>\n<p>\ud83d\udd0d How to reliably find deletion events<\/p>\n<p>Use the MoRef ID, not the VM name.<br \/>\nGet the MoRef from the creation log:<\/p>\n<p>grep -Ri &#8220;vm-1234&#8221; \/storage\/log\/vmware\/vpxd\/<\/p>\n<p>You\u2019ll see the deletion entry immediately.<\/p>\n<h1 style=\"text-align: center;\"><span class=\"ez-toc-section\" id=\"Summary\"><\/span>Summary<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<p>What a royal PITA it is to manage sysloging on vCenter&#8230; :S<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So, in my previous post I discussed troubleshooting the wd in wdpath already exists log error. However, the root issue there may have been determined and resolved&#8230; but the question arises&#8230; do we need to ship that much logs? What are all these log files for? High\u2011Level Overview Every file listed is part of vCenter &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/zewwy.ca\/index.php\/2026\/01\/19\/vcenter-syslog-rsyslog\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;vCenter syslog\/rsyslog&#8221;<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"sfsi_plus_gutenberg_text_before_share":"","sfsi_plus_gutenberg_show_text_before_share":"","sfsi_plus_gutenberg_icon_type":"","sfsi_plus_gutenberg_icon_alignemt":"","sfsi_plus_gutenburg_max_per_row":"","footnotes":""},"categories":[5,8],"tags":[316,493,494],"class_list":["post-1779","post","type-post","status-publish","format-standard","hentry","category-hypervisors","category-server-administration","tag-logging","tag-rsyslog","tag-syslog"],"_links":{"self":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1779","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/comments?post=1779"}],"version-history":[{"count":10,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1779\/revisions"}],"predecessor-version":[{"id":1791,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/posts\/1779\/revisions\/1791"}],"wp:attachment":[{"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/media?parent=1779"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/categories?post=1779"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zewwy.ca\/index.php\/wp-json\/wp\/v2\/tags?post=1779"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}