We are attempting to start collecting from our first ESXi host and getting the logs to logstash is any easy process however, our goal is to take multiple log source types (asa, cisco switch, esxi, etc.) all on the common syslog UDP or TCP 514 port. We would like to have the ability to tag each of these as unique sources. With esxi we cannot find a unique string or pattern to identify it as ESXi specific. The logs from esxi seem to be generic syslog events with nothing to distinguish them as esxi.
A solution to this could be using different ports and identifying them this way. However, is there any documentation or way of recognizing an esxi source through the raw syslog?