3.3 Ensure remote logging is configured for ESXi hosts

Information

By default, ESXI logs are stored on a local scratch volume or ramdisk. To preserve logs, also configure remote logging to a central log host for the ESXI hosts.

Rationale:

Remote logging to a central log host provides a secure, centralized store for ESXi logs. You can more easily monitor all hosts with a single tool. You can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log tampering and provides a long-term audit record.

Solution

To configure remote logging properly, perform the following from the vSphere web client:

Select the host and click 'Configure' -> 'System' -> 'Advanced System Settings'.

Enter Syslog.global.logHost in the filter.

Make sure Syslog.global.logHost is highlighted, then click the pencil icon.

Set Syslog.global.logHost to the hostname or IP address of the central log server.

Click 'OK'.

Alternately, run the following PowerCLI command:

# Set Syslog.global.logHost for each host
Get-VMHost | Foreach { Set-<span>AdvancedSetting </span><span>-VMHost $_ -Name Syslog.global.logHost -Value '<NewLocation>' }</span>

Note: When setting a remote log host, it is also recommended to set the 'Syslog.global.logDirUnique' to true. You must configure the syslog settings for each host.

References:

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-9F67DB52-F469-451F-B6C8-DAE8D95976E7.html

See Also

https://workbench.cisecurity.org/files/2816

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2), CSCv7|6.2, CSCv7|6.3

Plugin: VMware

Control ID: a51620f704fdc3f9ef95232dcda1f9142e9aabeded12bad319464eb4e5f7fae1