3.2 Ensure persistent logging is configured for all ESXi hosts

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

ESXi can be configured to store log files on an in-memory file system. This occurs when the host's Syslog.global.LogDir property is set to a non-persistent location, such as /scratch. When this is done, only a single day's worth of logs are stored at any time. Additionally, log files will be reinitialized upon each reboot.

Rationale:

Non-persistent logging presents a security risk because user activity logged on the host is only stored temporarily and will not be preserved across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore.

Solution

To configure persistent logging properly, perform the following from the vSphere web client:

Select the host

Click Configure then expand System then select Advanced System Settings.

Select Edit then enter Syslog.global.LogDir in the filter.

Set Syslog.global.logDir to a persistent location specified as [datastorename] path_to_file where the path is relative to the datastore. For example, [datastore1] /systemlogs.

Click OK.

Alternatively, run the following PowerCLI command:

# Set Syslog.global.logDir for each host
Get-VMHost | Foreach { Set-AdvancedConfiguration -VMHost $_ -Name Syslog.global.logDir -Value '<NewLocation>' }

See Also

https://workbench.cisecurity.org/files/3473