How to Use Get-Log for Parsing Logs

Having the ability to know how to read VMware logs quickly by searching through them is very handy when troubleshooting VMware issues and you don’t need to know the VMware logs location by heart. Of course, there are tools available on the market today that provide this kind of performance monitoring to VMware administrators. However, those solutions cost money. Fortunately, for the VMware community, the PowerCLI cmdlet Get-Log allows us to have this power for FREE. Note that we are not talking about uploading logs to VMware as those require a support bundle generated with the VMware vCenter logs export feature.

So where do I start, and how do I use it? First, we need to install PowerCLI on our endpoint device that we are going to be using PowerCLI on. Get-Log is a PowerShell cmdlet that is a part of the PowerCLI module. If you already have it installed, you can skip this step. To install the PowerCLI PowerShell Modules, open up an administrative PowerShell console and type in the following:

install-module vmware.powercli

This will install the PowerCli module and we will be good to go. I’m a huge proponent of using the integrated PowerShell help system (before using Google-Fu) to really understand the different features of a cmdlet. So if you’d like to explore additional information about the Get-Log cmdlet, run the following syntax in the PowerShell console:

Get-Help Get-Log

How to view VMware logs for an ESXi Host

The Get-Log cmdlet will collect the vSphere log events but first, we need to get connected to either an ESXi host or a VCenter server. In my example, I’m going to connect to a VCenter server so that shortly after I can show how to use Get-Log against multiple hosts. To start our connection to VCenter use the following syntax:

Connect-VIserver -Server 192.168.0.9

You will get prompted to input the VCenter/ESXi Host credentials, then a connection will be established:

Now that we have a connection established to our VCenter server, let’s see how to read VMware logs. But first, we need to know what type of VMware ESXi logs we can parse. So let’s use Get-LogType to view the available VMware logs that we can obtain from our host:

Get-LogType -VMhost 192.168.0.8

We can see that we have four logs (keys) available. Let’s check out the VMKernel VMware logs, there is a lot of valuable info that we can get from this log depending on the issue we are troubleshooting. We’ll start by specifying “vmkernel” with the -Key parameter by inputting the following. Then we’ll wrap our syntax in parenthesis and specify that we only want the “Entries” property to display all of our VMkernel entries:

(get-log -vmhost 192.168.0.8 -key vmkernel).Entries

Wow, that’s a lot of raw text! Unless you’re a character from the movie the Matrix, we will need to filter these results in order to obtain information that’s more decipherable. Let’s do some filtering using Where-Object. We will filter out any “Warning” events:

(get-log -vmhost 192.168.0.8 -key vmkernel).Entries | Where-object -FilterScript {$_ -like “*warning*”}

All of our log events are now filtered and we are only seeing entries that have the word “Warning” in it. If we wanted to search for a specific string, we would just replace the “Warning” in the syntax above and we can pull log entries with just that specific string. If we wanted to take it a step further, since we are interactively gathering the log events through the console and not creating a script at the moment, we can make the output a little more pleasant by using the Out-GridView cmdlet:

(Get-Log -vmhost 192.168.0.8 -key vmkernel).entries | Where-object -FilterScript {$_ -like “*warning*”} | out-gridview

Note that instead of using out-grid view, you can also use export-csv or out-file for how to export VMware logs for instance.

We now get a new GUI window that allows us to easily view and scroll through our output:

We can also perform filters on the fly. I am able to filter our results even further by Warning messages that contain the string “NTPClock”:

Using Get-Log with Multiple Hosts

It’s nice to be able to quickly gather VMware logs from a host, but, the real magic comes when we are able to query an entire Datacenter for a specific alert within seconds. By using the Get-Datacenter cmdlet I can target all of the ESXi hosts in an entire data center and query them for log alerts. In my example, I am searching through all my ESXi hosts in my datacenter “LukeLab”. Then I pipe the datacenter object to Get-VMHost and then tack on what we’ve already created above:

(Get-Datacenter -Name LukeLab | get-vmhost | get-log -key vmkernel) | select host,entries | Where-object -FilterScript {$_.Entries -like “*NTPclock*”}

The end result of this one-liner searches the VMware ESXi logs on all hosts in my datacenter and lists any of them that contain the string “NTPClock” in their log entries:

Types of VMware ESXi logs

There are a number of log files in VMware ESXi and finding your way around them isn’t always straightforward. Even Though you don’t need to know the VMware logs location to use Get-Log, it is recommended to understand them and where they live in case PowerCLI doesn’t work due to an underlying issue for instance.

Below are the log files you will most commonly be exposed to. Check out this blog and this blog for more details about VMware logs.

To protect your VMware environment, Altaro offers the ultimate VMware backup service to secure backup quickly and replicate your virtual machines. We work hard perpetually to give our customers confidence in their backup strategy.

Plus, you can visit our VMware blog to keep up with the latest articles and news on VMware.

Wrap up

Querying VMware logs is an extremely powerful technique as it can be utilized to provide automated recurring email alerts on our ESXi environment for free! One could even take it a step further and use this cmdlet with the PowerShell Universal Dashboard to create your own personalized dashboard for monitoring ESXi hosts.

As VMware Admins, we are starting to see a necessity in the ability to be able to manage and deploy our infrastructure with code rather than a wizard or GUI. Depending on the size of the VMware environment, collecting the VMkernel VMware logs by hand could take hours to collect and sort through, but with PowerCLI we can do it in seconds and at no monetary cost. If you’ve used Get-Log or are currently working on a script that uses it, be sure to share your experience in the comments below.