ESXI-67-000004 - Remote logging for ESXi hosts must be configured.

Information

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Satisfies: SRG-OS-000032-VMM-000130, SRG-OS-000342-VMM-001230, SRG-OS-000479-VMM-001990

Solution

From the vSphere Client, select the ESXi host and go to Configure >> System >> Advanced System Settings.

Click 'Edit', select the 'Syslog.global.logHost' value, and configure it to a site-specific syslog server.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value '<syslog server hostname>'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y22M04_STIG.zip

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-17(1), 800-53|AU-4(1), CAT|II, CCI|CCI-000067, CCI|CCI-001851, Rule-ID|SV-239261r674712_rule, STIG-ID|ESXI-67-000004, Vuln-ID|V-239261

Plugin: VMware

Control ID: 102722bc22a849a3d5248716fc0a347c037e160a15a4edcf31e843627f25319e