8.7.1 (L1) Ensure the number of VM log files is configured properly

Information

Normally a new log file is created only when a host is rebooted, so the file can grow to be quite large. You can ensure that new log files are created more frequently by limiting the maximum size of the log files. If you want to restrict the total size of logging data, VMware recommends saving 10 log files, each one limited to 1 MB. Each time an entry is written to the log, the size of the log is checked; if it is over the limit, the next entry is written to a new log. If the maximum number of log files already exists, when a new one is created, the oldest log file is deleted.

Log files should be rotated to preserve log data in case of corruption or destruction of the current log file, and to avoid the likelihood of logging issues caused by an overly large log file.

Solution

To set this configuration utilize the vSphere interface as follows:

- Select the VM then select Actions followed by Edit Settings
- Click on the VM Options tab then expand Advanced
- Click on EDIT CONFIGURATION
- Click on ADD CONFIGURATION PARAMS then input log.keepOld with a value of 10
- Click OK then OK again.

To set the number of log files to be used to 10 run the following PowerCLI command:

# Add the setting to all VMs
Get-VM | New-AdvancedSetting -Name "log.keepOld" -value "10"

Impact:

A more extreme strategy is to disable logging altogether for the virtual machine. Disabling logging makes troubleshooting challenging and support difficult. Do not consider disabling logging unless the log file rotation approach proves insufficient.

See Also

https://workbench.cisecurity.org/benchmarks/15334

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: VMware

Control ID: 5e2db824992b035993ecbd254aca9427c2694dc1635e6936beadbbd6d03211cd