Detections
Analytics
ESXI-70-000004 - Remote logging for ESXi hosts must be configured.
Information
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts.Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record.
Satisfies: SRG-OS-000032-VMM-000130, SRG-OS-000342-VMM-001230, SRG-OS-000479-VMM-001990, SRG-OS-000059-VMM-000280, SRG-OS-000058-VMM-000270, SRG-OS-000051-VMM-000230
Solution
From the vSphere Client, go to Hosts and Clusters.Select the ESXi Host >> Configure >> System >> Advanced System Settings.
Click 'Edit'. Select the 'Syslog.global.logHost' value and configure it to a site-specific syslog server.
or
From a PowerCLI command prompt while connected to the ESXi host, run the following command:
Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value '<syslog server hostname>'
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y25M04_STIG.zip
Item Details
Audit Name: DISA VMware vSphere 7.0 ESXi STIG v1r4 VMware
Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY
References: 800-53|AC-17(1), 800-53|AU-4(1), 800-53|AU-6(4), 800-53|AU-9, CAT|II, CCI|CCI-000067, CCI|CCI-000154, CCI|CCI-000163, CCI|CCI-000164, CCI|CCI-001851, Rule-ID|SV-256378r958406_rule, STIG-ID|ESXI-70-000004, Vuln-ID|V-256378
Plugin: VMware
Control ID: 2e56408fb7560cb15f9eeb659befeda17ec923c8e3ce3c3c706f2ac1434863f6