Sorting bits into bytes...

Automating Log Filter Configuration with PowerShell

As an addition on this script which is very helpful in automating the configuration of a Syslog server. This script can be used to limit the logs send to the Syslog server by applying log filters.


Logging is an essential part of system management, providing valuable information for troubleshooting and identifying potential issues. However, the vast amount of logs generated can make it challenging to identify relevant information. Log filters provide a way to filter out unnecessary information, making it easier to identify critical events.

The script we’re discussing today is a PowerShell script that automates log filter configuration on ESXi hosts in a VMware vCenter cluster. The script applies filters listed in a CSV file, and it can enable log filtering if it’s disabled.

Content of the CSV file:

0 | * | .*PowerFlex blkScsiCmd_UnmapWithSize:391 :Error: Unmap called with result larger than buffer: Opcode UNMAP
0 | vsansystem | .*

And the Powershell script:

Author: Kabir Ali -
Scriptname: Filter on Syslog
Version: 1.1 (Tested)
Date: Feb 13 2023
Why: After every patch the log filter settings get removed.

Version history:
1.0 - Feb 13 - Initial version
1.1 - Mar 13 - Enable log filters

.\filter_on_syslog.ps1 -vCenter "vCenter@local.domain" -Cluster "Production" -Input_file "c:\temp\log_filters.csv"

Param (
    [Parameter(Mandatory = $true)][string]$vCenter,
    [Parameter(Mandatory = $true)][string]$Cluster,
    [Parameter(Mandatory = $true)][string]$Input_file


# Get all the filters that need to be applied
$log_filters = Import-CSV $Input_file -Delimiter ';'

# Bypass SSL certificate verification
add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
# Authenticating with API
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

# Connect to the vCenter
try {
    Connect-VIServer -Server $vCenter -ErrorAction Stop | Out-Null

Catch {
    Write-Warning -Message "Error: Failed to connect to the vCenter. Stopping script."

# Check if Cluster name is correct
if (Get-Cluster -Name $Cluster -Server $vCenter) {
else {
    Write-Output -Message "Error: Couldn't find cluster with clustername $($Cluster)"

# Get ESXi hosts of the cluster
Write-Output "Found a total of $((get-cluster -Name $Cluster | Get-VMHost).count) ESXi hosts to work with."

# Set on each ESXi host the log filter
foreach ($esx_host in (get-cluster -Name $Cluster | Get-VMHost).name) {
    Write-Output "Working on $($esx_host)."
    foreach ($log_filter in $log_filters) {
        # Get ESXCLI of current host
        $esxcli = Get-VMHost $esx_host | Get-EsxCli -V2
        Start-Sleep 0.3
        # Empty array
        [array]$filters_active = @()
        # Get current log filters
        $filters_active = $esxcli.system.syslog.config.logfilter.list.Invoke()
        Start-Sleep 0.3
        if ($filters_active.filter -contains $log_filter.filter_name) {
            write-output "Log filter: $($log_filter.filter_name) - already active"
        else {
            # Generate ouput
            Write-Output "Applying filter $($log_filter.filter_name) on ESXi host $($esx_host)"
            Start-Sleep 0.3
            # Create arguments variable
            $arguments = $esxcli.system.syslog.config.logfilter.add.CreateArgs()
            Start-Sleep 0.3
            # First log filter rule to add
            $arguments.filter = $log_filter.filter_name
            Start-Sleep 0.3
            # Apply first log filter rule
            Start-Sleep 0.3

    # Enable logfiltering
    if ($esxcli.system.syslog.config.logfilter.get.Invoke().LogFilteringEnabled -eq "false") {
    Write-Output "Enabling log filtering ESXi host $($esx_host)"
    $set_arg = $esxcli.system.syslog.config.logfilter.set.CreateArgs()
    $set_arg['logfilteringenabled'] = $true
    Start-Sleep 0.3

    # Reload syslog
    Start-Sleep 0.3

# Disconnect both vCenters
Disconnect-VIServer -Server * -Confirm:$false

Script overview:

The script starts by importing the necessary PowerShell modules and defining the parameters required for execution. The parameters include the vCenter server name, the cluster name, and the input CSV file that contains the filters to be applied.

Next, the script connects to the vCenter server using the Connect-VIServer cmdlet. It then verifies that the cluster name provided is valid by checking if it exists in the vCenter inventory.

Afterward, the script retrieves all ESXi hosts in the cluster using the Get-Cluster and Get-VMHost cmdlets. It then loops through each host and applies the log filters defined in the CSV file using the ESXCLI command.

The script checks whether each filter is already applied to avoid adding duplicates. If a filter is not applied, the script adds it using the ESXCLI command. It then checks whether log filtering is enabled on the host and enables it if necessary.

Finally, the script reloads syslog to apply the changes and disconnects from the vCenter server using the Disconnect-VIServer cmdlet.


Log filtering is an essential feature in system management, but it can be time-consuming to configure manually. Automating the process with PowerShell can save time and reduce the risk of errors. The script we discussed today simplifies log filter configuration on ESXi hosts in a VMware vCenter cluster, making it easier to manage and monitor logs.

Leave a Reply