3.3 (L1) Ensure remote logging is configured for ESXi hosts

Information

By default, ESXI logs are stored on a local scratch volume or ramdisk. To preserve logs, also configure remote logging to a central log host for the ESXI hosts.

Remote logging to a central log host provides a secure, centralized store for ESXi logs. You can more easily monitor all hosts with a single tool. You can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server helps prevent log tampering and provides a long-term audit record.

Solution

To configure remote logging properly, perform the following from the vSphere web client:

- Select the host
- Click Configure then expand System then select Advanced System Settings
- Select Edit then enter Syslog.global.logHost in the filter.
- Set the Syslog.global.logHost to the hostname or IP address of the central log server.
- Click OK

Alternately, run the following PowerCLI command:

# Set Syslog.global.logHost for each host
Get-VMHost | Foreach { Set-AdvancedSetting -VMHost $_ -Name Syslog.global.logHost -Value "<NewLocation>" }

Note: When setting a remote log host, it is also recommended to set the "Syslog.global.logDirUnique" to true. You must configure the syslog settings for each host.

See Also

https://workbench.cisecurity.org/benchmarks/15334