VMware Event Logs and PowerCLI

Posted on December 3, 2013 by Jeff Hicks in VMware with 0 Comments

If you are responsible for VMware servers, one of your management tasks should probably be to keep an eye for problems in the event log. In the Windows world we have a few PowerShell cmdlets at our disposal for remote event log management. Obviously those won’t work for a VMware ESXi server. What we do have though, is PowerCLI, which we’ve been covering lately on the site. Let me show you how to retrieve event log information from your VMware servers.

Getting Event Log Types

The first thing you need to do is identify the type of event log. I already have PowerCLI loaded and am connected to my default ESXi server. Using Get-LogType will display the available logs.

The logs are in plain text as you can see in the summary, which is good because as I’ll demonstrate in bit you might have to stretch your string parsing skills. From this list you need to make note of the Key. You will need this to get the actual entries for the corresponding log.

Sponsored

Getting Event Log Entries with PowerCLI

PowerCLI has a Get-Log cmdlet to do the heavy lifting of retrieving the contents of the event log. At a minimum all you need to do is specify the log key, which you get with Get-LogType. I’m going to get entries from hostd.

Be careful, as the key name, e.g. hostd, is case sensitive. You need to specify the key exactly as you see it with Get-LogType.

So I have an object, $hostd, that has a single property, Entries, which is a collection of strings. These are the lines of text from the event log.

That’s a lot of lines. In order to read the log, I have to get the items from Entries as shown below in Figure 1.

VMware Event Logs and PowerCLI

The better approach, in my opinion, is to expand the entries as they are being collected.

Now $hostd is a copy of the event log. I could pipe it to Out-File to save a local copy. Or further parse it.

It is also possible to get a subset of log entries. You can specify the number of lines to return.

You can also specify at what line number. The default is 1. The log starts with the oldest entry.

Or if you don’t specify the number of lines, the cmdlet will get all event log entries starting at the given line number.

You can see my result in Figure 2.

VMware Event Logs and PowerCLI

The catch here is that you don’t know how many lines you have unless you retrieve the entire log. So you might as well grab everything as I did earlier.

Sponsored

 

Parsing the Log File

Another important thing you should know is that not every item in your log (this is $hostd in my example) is an event log entry. Some entries have multiple lines.

This is a single entry but would count as six lines. Even so, with everything as an array you could get the last part of the file.

This should be the 20 or so last lines of the log file which will be the most recent entries.

VMware Event Logs and PowerCLI log file

 

Or use Select-String to find relevant information.

Figure 4 below shows the five most recent entries that have VMSvc in the entry.

VMware Event Logs and PowerCLI vmsvc

The last thing I want to show you is a way to convert that funky time stamp you see at the beginning of each entry into a more user-friendly and local time. With a little regular expression magic, you can replace that string with a friendlier date format.

To begin, you need a regular expression pattern for the date/time format.

Then you can pipe the entries to ForEach-Object.

If the line of text matches the regex pattern, then the matching value is saved as a datetime object, $dt, and then replaced in the line. The replace line gets written to the pipeline. If there is no match, then the line is simply passed back through. You can see the result for a sample of lines in Figure 5.

VMware Event Logs and PowerCLI vmsvc

Putting it all together you might want to run a PowerCLI expression like this:

Now $hostd has the entire log and the time stamps are local. I can parse or filter as I need, or save the results to a local file.

 

Because VMware servers obviously are not running Windows, it takes a bit more effort to retrieve and analyze logs. But it is still very doable with PowerShell and PowerCLI. You simply might have to be a bit clever, such as using my regex trick to “convert” the time stamp, to get the most out of the cmdlet.

Sponsored

Tagged with ,