Can anyone tell me how I can send only the security logs (events) from ESXi 5.5 to our remote syslog server. I was able to configure the logging to send everything to our remote server but can't figure out how to only send the security logs. I need to log and preseve security events for audit purposes. This is the command I have used to send the syslog info to our remote loggers:
esxcli system syslog config set --default-rotate 20 --default-size 2048 --loghost syslogserver1:514
I also am seeing on the remote syslog server 'malformed' syslog messages. The syslog server is looking for the hostname in a specific column in the messages and uses that to determine the folder it should go in but some messages are not following the expected format so the data is getting placed in random folders. See below
[root@syslogserver /var/log/syslog]# ls -lt
total 44
drwxr-x---. 3 root esx 4096 Jul 2 10:13 myhostname.company.com
drwxr-x---. 3 root esx 4096 Jul 2 10:13 NoneZ
drwxr-x---. 3 root esx 4096 Jul 2 10:13 Section
drwxr-x---. 3 root esx 4096 Jul 2 10:13 Wed
drwxr-x---. 3 root esx 4096 Jul 2 10:13 MYHOSTNAME.company.com
drwxr-x---. 46 root root 4096 Jul 2 00:04 vmname1
drwxr-x---. 66 root esx 8192 Jul 2 00:03 vmname2
drwxr-x---. 4 root esx 4096 Jul 2 00:03 someotherhost.company.com
drwxr-x---. 3 root esx 4096 Jul 1 15:50 exiting
drwxr-x---. 3 root esx 4096 Jul 1 15:37 last
[root@syslogserver /var/log/syslog]#