We have 2 newly built sites each with it’s own Log Insight cluster, and each Log Insight cluster has it’s own unique FQDN to receive syslogs.
All servers, hosts etc send their syslogs to the Log Insight cluster at the same site, there is no cross-site configuration etc.
The 2 sites share a single SSO Domain with 1 external Platform Services Controller at each site, and each site has 2 vCenters with numerous hosts.
This is all running with vCenter and vSphere 6.0 Update 1.
We use the vSphere Integration feature in Log Insight. This allows you point at a vCenter and it will auto-configure the Syslog.Global.LogHost settings on the host.
For each Log Insight cluster we configure the 2 vCenters.
So at this point all is well, and the vSphere hosts are configured to the correct Log Insight cluster FQDN.
However within the hour something would hit all the hosts and reconfigure the Syslog.Global.LogHost to 1 of the Log Insight cluster FQDNs. This now makes 1 site incorrect, and the hosts etc are now sending syslogs across the link to the other Log Insight cluster at the other data centre. It was also affecting the syslog settings on all 5 of our NSX Managers.
We spent numerous hours trying to fix this and find the root cause. Shutting down both Log Insight clusters and manually un-configuring all hosts Syslog.Global.LogHost, still within the hour something would change them again.
After numerous calls and webex sessions with VMware it was found that the root cause was a vRealize Operations (vROps) NSX Management pack.
When you configure the NSX Management pack adaptors which point at vCenter Servers, there is an option turned on by default “enable Log Insight integration if configured’. There is a bug with this feature where if you have it enabled it overwrites the syslog settings on ESXi hosts and NSX Managers. The current fix is to disable the option.
Currently, VMware has no KB articles on this issue, but here is my SR number for reference in case you strike the same issue: SR 15837127512
VMware have confirmed this is resolved with Management Pack for NSX for vSphere 3.0