ESXi: esxi-8.logs-persistent

Information

Configure a persistent log location for all locally stored logs on the ESXi host. ESXi can be configured to store log files on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done, only a single day's worth of logs is stored at any time. Additionally, log files will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persist across reboots. It can also complicate auditing and make it harder to monitor events and diagnose issues. Therefore, it is recommended to configure ESXi host logging to a persistent datastore. You can detect if the scratch volume is temporary or persistent by querying the ScratchConfig.CurrentScratchLocation advanced parameter. If, when queried, it returns "/tmp/scratch" then the volume is temporary and you should remap the audit record storage to a persistent device. Cannot be a vSAN datastore unless Syslog.global.vsanBacking is set, which has caveats & dependencies. If your only local, non-vSAN storage is SD or USB media (which can become unreliable with repeated writes from logs) you might consider leaving the logs in the ramdisk and ensuring that a remote logging host is configured instead. Document the decision and rationale in preparation for future audits.

Solution

Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.logDir | Set-AdvancedSetting -Value "<PERSISTENT LOCATION>"

See Also

https://github.com/vmware/vcf-security-and-compliance-guidelines/raw/refs/heads/main/security-configuration-hardening-guide/vsphere/8.0/

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CCI|CCI-001849

Plugin: VMware

Control ID: 2ac0b76367f0045a086fbc8c8730634fae1e4c6063153f571789c8edaa47f706