ESXI-67-100004 - The ESXi host must centrally review and analyze audit records from multiple components within the system by configuring remote logging.

Information

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record.

Satisfies: SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280

Solution

From the vSphere Client, select the ESXi host and go to Configuration >> Advanced Settings.

Select the 'Syslog.global.logHost' value and configure it to a site-specific syslog server.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value '<insert syslog server hostname>'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000154, CCI|CCI-000163, CCI|CCI-000164, Rule-ID|SV-239330r674919_rule, STIG-ID|ESXI-67-100004, Vuln-ID|V-239330

Plugin: VMware

Control ID: ac81ba29f5ef9773714930d5dd71cbbd0428f62deb5d789dda120c70275bc592