Sending logs to an external syslog server is very common practice across many industries. The main reason to send logs to the external location is security or industry compliance. It helps to find out the root cause of the problem, despite de fact logs on the source system could be deleted or modified, or overwritten, or the platform itself may be gone or inaccessible.
Nutanix recommends keeping central syslog server in a dedicated security zone behind the firewall with very limited and strict access.
You can configure multiple remote syslog servers on a single Nutanix cluster. The log levels supported by rsyslog are debug, info (recommended), notice, warning, error, crit, alert, and emerg.
Below you can find two ncli commands needed to configure log forwarding from Nutanix cluster.
cvm$ ncli rsyslog-config edit-server name=nodeA ip-address=IP_address
port=514 network-protocol=tcp relp-enabled=no
cvm$ ncli rsyslog-config add-module module-name=syslog_module level=info servername=nodeA
If you are configuring syslog on Nutanix AHV cluster, the system will send logs from AOS (Acropolis Operating System) and Nutanix AHV. However, if you are running VMware ESXi or Microsoft Hyper-V as a hypervisor, you will have to configure remote syslog server on hypervisor separately.
If you are looking for information about what ports are used by syslog, see my blog post – Nutanix port diagrams for detailed information