VMware ESXi Syslog Errors – ‘System logs on host {host-name} are stored on non-persistent storage.’

KB ID 0000456 

Problem

Syslog Error Seen on ESXi 6.0 and 6.5

System logs on host {host-name} are stored on non-persistent storage.

Syslog Error Seen on ESXi 5.1

Error Configuration Issues System logs on host {host-name} are stored on non-persistent storage.

Syslog Error Seen on ESXi 5

Error Configuration Issues System logging is not configured on host {host-name}.

Syslog Error Seen on ESXi 4

Error Configuration Issues Issue detected on {host-name}: Warning: Syslog not configured. Please check Syslog options under Configuration.Software.Advanced Settings.

Solution

Seen on ESXi hosts that boot from an internal SD card, (or USB Drive.)  ESXi likes to have some persistent storage to keep its logs on.

To stop this error you need to give it a location for the logs. That location is setup as follows;

ESXi (Post Version 6) Setting a Syslog Location

First, create a folder on some shared storage to save you logs into, below you can see my datastore name is [iSCSI-RAID5-SAS], and Ive created a folder called ‘Logs’

Select the host with the error > Configure > Advanced System Settings > Type ‘Global’ in the search criteria > Locate Syslog.Global.LogDir > Select it > Edit.

Once again, search for Global and change the location to [DATASTORE-NAME]Logs\HOST-NAME > OK.

The error should cease immediately, without the need to restart anything.

ESXi (Pre Version 6) Setting a Syslog Location

With an ESXi host selected, Configuration > Advanced Settings > Syslog > Syslog.global.logDir.

Here you have two options,

Option 1 Store the Syslogs on the SD Card

Note: If you have built the ESXi Server from a manufacturers ESXi DVD (the HP build for example) there may not be enough room on the SD card for the logs.

In the example below, I’ve got an ESXi host, that’s running ESXi from an SD card (4GB) and I’ve put the syslog on there by using the default entry of;

[box][]/scratch/log[/box]

Click OK > After a couple of seconds the alert will disappear (without the need to reboot).

Option 2 Store the Syslogs on Local or Shared Storage.

ESXi 5 Putting the syslog onto a DataStore

With an ESXi host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder LOGS > OK.

Note: In this example I’m storing the syslog on local storage (on the ESXi host) if you have shared storage , i.e. a SAN or NAS, I suggest you create a sub-folder for each ESXi host within the LOGS directory and set the path on each host accordingly. This will take effect without a reboot and the error should cease.

ESXi 4 Putting the syslog onto a DataStore

In this case I created a syslog area on one of the shared data stores.

With an ESX host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder syslog > OK.

Then select Advanced Settings > Syslog > Enter a value in the following format:

[datastore]/syslog/hostname.log

i.e. [Volume 3]/syslog/esx2.log

3. Click OK, you should not need to reboot, the error should cease straight away.

Related Articles, References, Credits, or External Links

Original Article Written 22/11/12

Cisco ASA No Debug Output?

KB ID 0001477

Problem

I see this get asked in forums A LOT, typically the poster has another problem they are trying to fix, someone has asked them to debug the problem and they cant see any debug output.

Solution

Firstly you need to understand what logging is, and how debugging fits within it. (Bear with me, this is good knowledge to have).

The firewall saves logs in syslog format, and there are 8 Levels of logs, the one with the MOST information is called ‘debugging’ (or severity 7 in Syslog world)

  • 0=Emergencies
  • 1=Alert
  • 2=Critical
  • 3=Errors
  • 4=Warnings
  • 5=Notifications
  • 6=Informational
  • 7=Debugging

So if you are debugging, then all you are doing is looking at syslog output thats severity 7. The ASA can send these logs to an internal memory buffer, and external Syslog server, or to the screen, either the console (via rollover cable) or the monitor (SSH/Telnet session, or what router types, call the virtual terminal lines).

Fine but I cant see anything doofus, that’s why I’m here!

OK, now you understand how it all works, you should understand when you see the commands, why it wasn’t working!

Issue a ‘show log’ command;

What does this tell us? Well mose importantly it tells us logging in ON.

[box]Syslog logging: enabled[/box]

If it were disabled then you turn it on with;

[box]logging on[/box]

The next piece of pertinent information is.

[box]Timestamp Logging: Disabled[/box]

While not critical, logs are much easier to interpret when they are stamped with the correct time! I’m in the UK so this is the command I would use (Note: I’m enabling NTP Time sync, this can take a while to synchronise);

[box]

clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00

!
ntp server 130.88.203.12 source outside

!
logging timestamp

[/box]

Sending Debug Output to the Screen

As mentioned above, you can send output to the console or the monitor;

Send Debug to SSH/Telnet Session

[box]logging monitor debugging

terminal monitor[/box]

Note: To disable, the command is ‘terminal no monitorNOT ‘no terminal monitor’ (Thanks Cisco!)

Sending Debug Output to the Console (Serial Connection)

Send Debug to SSH/Telnet Session

[box]logging console debugging[/box]

Note: To stop it, set it back to ‘warnings’ (the default).

[box]logging console warnings[/box]

Sending Debug Output to the Internal Log (Buffer)

This is easier, as you can filter the results for particular IP addresses/ports/usernames etc, which is handy if there are pages and pages to look though, and they are not scrolling past you yes, faster than you can read them!

[box]

logging buffered debug
logging buffer-size 1000000

[/box]

Then to view the logs file;

[box]show log[/box]

To clear the log;

[box]clear logging buffer[/box]

To turn off;

[box]no logging buffered debug[/box]

To Filter/Search the logs;

[box]show log | include 192.168.100.1[/box]

Related Articles, References, Credits, or External Links

NA

Configure Your Firewall for SNMP

KB ID 0001034 

Problem

Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open.

Inbound Ports

Outbound Ports

Solution

As my ‘weapon of choice’ is a Cisco ASA, here’s how to set it up.

1. Connect to the firewall and proceed to global configuration mode.

[box] User Access Verification

Password:*******
Type help or ‘?’ for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. Assuming my inside interface is called ‘inside’ allow the traffic outbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box] Petes-ASA(config)# access-list outbound permit udp host 192.168.1.100 host 172.16.1.10 eq 161
Petes-ASA(config)# access-list outbound permit icmp host 192.168.1.100 host 172.16.1.10
Petes-ASA(config)# access-group outbound in interface inside [/box]

3. Assuming my outside interface is called ‘outside’ allow the traffic inbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box]Petes-ASA(config)# access-list inbound permit udp host 172.16.1.10 host 192.168.1.100 eq 161
Petes-ASA(config)# access-list inbound permit icmp host 172.16.1.10 host 192.168.1.100
Petes-ASA(config)# access-group inbound in interface outside [/box]

Note: Simply allowing ICMP will not permit ‘ping’ see the following article;

Cisco Firewalls and PING

4. Save the changes.

[box]Petes-ASA(config)# write memory
Building configuration…
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]

Also

You may want to open UDP 514 (syslog) from the device to the monitoring server, (assuming you have configured syslog on the monitored device). If the monitored device cannot communicate make sure it’s not using DNS to resolve the monitoring server (if so you may need to open UDP 53 to a DNS server).

Related Articles, References, Credits, or External Links

NA