In this blog, we explore how to use the powerful command-line utilities to view, filter, and analyze Linux log files. Whether you’re troubleshooting system issues or just digging through logs for insights, some of these tools can help you extract meaningful data quickly and efficiently.
Key vCenter Log Files (VCSA)
These logs are typically found in the directory:
| Log File | Location | Description |
|---|---|---|
vpxd.log | /var/log/vmware/vpxd/ | Main vCenter Server log (inventory, events, DRS, host management) |
vpxd-profiler.log | /var/log/vmware/vpxd/ | Performance and profiling data of vpxd |
vpxd-alert.log | /var/log/vmware/vpxd/ | Alerts and notifications from vpxd |
vsphere-ui-runtime.log | /var/log/vmware/vsphere-ui/ | Logs for the vSphere UI (HTML5 client) runtime |
vsphere-client-logs/ | /var/log/vmware/vsphere-client/ | Logs for legacy vSphere Web Client |
sso.log | /var/log/vmware/sso/ | Single Sign-On service logs |
sts.log | /var/log/vmware/sso/ | Security Token Service log (authentication tokens) |
vmware-psc-client.log | /var/log/vmware/psc-client/ | Platform Services Controller client logs |
vmon.log | /var/log/vmware/vmon/ | vMon service log (manages vCenter services) |
ems.log | /var/log/vmware/ems/ | ESX Agent Manager log |
invsvc.log | /var/log/vmware/invsvc/ | Inventory service logs |
cmsso-registrar.log | /var/log/vmware/cmsso/ | Handles registration of PSC components |
rhttpproxy.log | /var/log/vmware/rhttpproxy/ | Reverse HTTP proxy for vCenter web access |
vmafdd.log | /var/log/vmware/vmafdd/ | VMware Authentication Framework Daemon log |
vmdird.log | /var/log/vmware/vmdird/ | VMware Directory Service (LDAP) log |
lsassd.log | /var/log/vmware/lsass/ | Lightwave-based directory access |
identity-firstboot.py_*.log | /var/log/firstboot/ | Logs during the initial setup and identity configuration |
upgrade.log | /var/log/vmware/ | Logs during upgrade of VCSA |
We can use regular less and more commands with zcat,zmore or zless to read the output of .gz files
zcat logfile.gz | less or | more zmore logfile.gz | less or | more zless logfile.gz | less or | more Read the file inside compressed .gz files without extract
zgrep "error" /var/log/vmware/vpxd/vpxd.log.*.gz
Comparing compressed files with zdiff
Zdiff can be used to see the difference between compressed files
zdiff messages1.gz messages2.gzUsing journalctl on VCSA
journalctl reads systemd journal logs. This is useful for analyzing service failures, boots, user activity, etc.
Basic usage:
journalctl # Dump all logs
journalctl -xe # Show recent logs with errors
journalctl -f # Follow logs (like tail -f)
journalctl -b # Logs from current boot
journalctl -b -1 # Logs from previous boot
sudo journalctl -u apache2.serviceFilter by time:
journalctl --since "2025-06-20 08:00" --until "2025-06-20 10:00"
view logs since a specific date, run:
sudo journalctl --since "2024-06-19"
Filter by service:
journalctl -u vmon # vCenter service manager
journalctl -u vmware-stsd # STS (token) service
journalctl -u vmware-vpxd # vpxd main service
Example: Investigate vCenter UI Not Loading
journalctl -u vsphere-ui -b
zgrep -i error /var/log/vmware/vsphere-ui/*log*.gz
Read vpxd.log via awk
zcat /var/log/vmware/vpxd/vpxd.log.1.gz | awk '/Datastore/ && /error/ {print $1, $2, $3, $6, $7}'
Show timestamps and service names for all errors:
sudo awk '/error/ {print $1, $2, $3, $5}' /var/log/syslog
Print only failed login attempts from auth.log
sudo awk '/Failed password/ {print $1, $2, $3, $9, $11}' /var/log/auth.log
Find lines containing "kernel" in dmesg log and show the timestamp and message
dmesg | awk '/kernel/ {print $1, $2, $3}'
If you're dumping journal logs and want to process them:
journalctl -xe | awk '/sshd/ && /Failed/ {print $1, $2, $3, $5, $6}'
Count how many times a specific event occurs
awk '/disk failure/ {count++} END {print count}' /var/log/syslog
(Visited 3 times, 1 visits today)