This blog post describes importing existing ESXi log files into vRealize Log Insight (LI). The logs can come from ESXi support bundles, or from simply copying the logs from /scratch/log or /var/run/log.

This is very useful for troubleshooting in environments that didn’t have a working syslog solution in place during a problem or an incident, but still has the logs available. It’s important to supply the command line argument –honor_timestamp to make sure the log entries get their correct time stamps. This requires authentication to LI using the –username and –password arguments.

The import script is run on a Windows client or server, where the logs are placed in a folder structure containing one folder per ESXi host, unzipped and imported to LI using the importer tool. The script is a work in progress, and will probably have to be modified slightly to fit all scenarios. At the moment it’s “good enough” for the customer troubleshooting that I’m currently doing.


  • Windows client or server containing the log files, divided into one folder per ESXi host (more info further down)
  • Downloaded and installed vRealize Log Insight Importer for Windows (current version can be downloaded here)
  • 7-Zip command line .exe for unzipping .gz logs (the importer is apparently able to handle .gz files, but for the moment we’ll roll with my original script) – (compatible version can be downloaded here)

Create a base folder (for example c:\temp\script – this will be set as %BASEDIR% in the script later). Copy the logs in subfolders under a folder named Logs. Make sure the folder structure is as the example below.

Copy the esx_manifest.ini from C:\Program Files (x86)\VMware\Log Insight Importer\manifests to your %BASEDIR%

Copy the script below and set your unique environment variables. Save it in your %BASEDIR% as Import-logs.cmd. My structure looks like this:


The Logs folder has one subfolder per ESXi host. It’s important that the folders are named using the actual host names, since the import script will pick up this name and set it as the ‘hostname’ attribute for all the log entries for this particular folder.

Each host folder contains the actual logs, either gzipped, unzipped or a mix of them both.



@echo off

set BASEDIR=C:\temp\script
set SEVENZIP="%BASEDIR%\7za.exe"
set LI-IMPORTER="C:\Program Files (x86)\VMware\Log Insight Importer\loginsight-importer.exe"
set LI-MANIFEST="%BASEDIR%\esx_manifest.ini"
set LI-SERVER=loginsight.lab.local
set LI-PASSWORD=P@ssword

for /f "tokens=*" %%F in ('dir /b /ad "%LOGDIR%"') do (
 cd "%LOGDIR%\%%F"
 echo Hostname: %%F
 %SEVENZIP% e *.gz -o"%LOGDIR%\%%F\var\run\log"
 copy *.log "%LOGDIR%\%%F\var\run\log"
 %LI-IMPORTER% --manifest %LI-MANIFEST% --source . --tags "{\"hostname\":\"%%F\"}" --server %LI-SERVER% --honor_timestamp --username admin --password %LI-PASSWORD%

Perform a test run with only one folder in the Logs folder, and if it goes well, copy the rest of the folders and re-run the script. Remember that there is no way (AFAIK) to delete the log data once it’s imported.


The LI Importer saves its logs in %USERPROFILE%\AppData\Local\VMware\Log Insight Importer\log, but for some reason it echoes every log entry in its own log, so the logs rotate off very quickly, and become rather unusable as soon as the import process has started.


After the import has finished, you’ll hopefully be able to start analyzing the logs. There is one rather annoying thing left to solve, and that’s that the event_type field doesn’t get populated. so there is no way to summarize or filter using Event Types:


You are though still able to filter and summarize the other fields, such as hostname (which we just populated manually), text, appname etc:



I hope this script helps you. If you have any suggestions for modifications, let me know using the comments below.

[EDIT]: In the esx_manifest.ini file, find the line:


and change it to