3.4 Configure remote logging for ESXi hosts

Information

By default ESXI logs are stored on a local scratch volume or ramdisk. To preserve logs
further configure centralized logging for the ESXI hosts.

*Rationale*

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By
gathering host log files onto a central host you can more easily monitor all hosts with a
single tool. You can also do aggregate analysis and searching to look for such things as
coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps
prevent log tampering and also provides a long-term audit record.

Solution

Perform the following-1. Install/Enable a syslog host (i.e vSphere Syslog Collector).
2. From the vSphere web client select the host and click 'Manage' -> 'Advanced Sytem
Settings'
3. Enter Syslog.global.logHost in the filter.
4. Set the Syslog.global.logHost to the hostname of your syslog server.To implement the recommended configuration state, run the following PowerCLI
command-# Set Syslog.global.logHost for each host
Get-VMHost | Foreach { Set-VMHostAdvancedConfiguration -VMHost $_ -Name
Syslog.global.logHost -Value '<NewLocation>' }
Note- When setting a remote log host it is also recommended to set the
'Syslog.global.logDirUnique' to true. You must configure the syslog settings for each host.
The host syslog parameters can also be configured using the vCLI or PowerCLI, or using an
API client.

Default Value-The prescribed state is not the default state.

See Also

https://workbench.cisecurity.org/files/902

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-9(2)

Plugin: VMware

Control ID: 9c21a4824f1227d8cae726b7c85383e55dd640288235611455311224f39b499c