Collecting VMWare/VCSA-Logs - Best practice


I am trying to collect VMWare-Logs with graylog 4.2.5
→ Created TCP-Syslog-Input
→ Tried Content-Pack from marketplace:

But: There is still a lot open.

According to Multiline/Fragmented Rsyslog Events - #5 by frantz - VMWare is sending multi-line-logs which are not handled, currently. So, there are logs, that do only contain: “–>”.

The dashboard of the contant-pack is empty, too.

Are you sending VMWare-logs to graylog? What is your concept? Do you need Logstash as “proxy”, or what are you using?

Thank you and best wishes.

One update: Syslog-Input is discarding most of the vmware-logs. RAW-input is able to show a lot more…


You may want to look at this for multiline logs.

I also found these …

Last thing I did find was under Collectors

I hope all this information will help.