syslog (port 10514) firewall configuration for vSphere

README

goal
----

The goal is send syslog traffic to a remote host and use unpriviledged ports;
so that I can have my logstash (http://logstash.net/) server not need to
run as root. On vSphere 5.1, tcp 1514 is covered by the syslog rule, but
in my case udp is preferred.

installation
------------

scp the xml file into /etc/vmware/firewall

# reload firewall settings from disk
esxcli network firewall unload
esxcli network firewall load

# enable the outbound syslog traffic on port 10514
esxcli network firewall ruleset set  -e true -r syslogPort10514
# (optional) disable outbound traffic on default port
esxcli network firewall ruleset set  -e false -r syslog

# configure remote syslog host. AFAIK, when using tcp, it does not reopen
# a connection if the connection drops, which happens when bringing
# e.g. logstash server down and back up; so use UDP.
esxcli system syslog config set --loghost udp://someipaddress:10514

# reload configuration
esxcli system syslog reload

# test message
esxcli system syslog mark -s "test log"

syslogPort10514.xml

<!-- /etc/vmware/firewall/syslogPort10514.xml -->
<!-- remote syslog configuration -->
<ConfigRoot>
  <service>
    <id>syslogPort10514</id>
    <rule id='0000'>
      <direction>outbound</direction>
      <protocol>udp</protocol>
      <porttype>dst</porttype>
      <port>10514</port>
    </rule>
    <rule id='0001'>
      <direction>outbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>10514</port>
    </rule>
    <enabled>false</enabled>
    <required>false</required>
  </service>
</ConfigRoot>

Thank you! Solved Problem!