3.2 (L1) Ensure persistent logging is configured for all ESXi hosts

Information

ESXi can be configured to store log files on an in-memory file system. This occurs when the host's Syslog.global.LogDir property is set to a non-persistent location, such as /scratch. When this is done, only a single day's worth of logs are stored at any time. Additionally, log files will be reinitialized upon each reboot.

Non-persistent logging presents a security risk because user activity logged on the host is only stored temporarily and will not be preserved across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore.

Solution

To configure persistent logging properly, perform the following from the vSphere web client:

- Select the host
- Click Configure then expand System then select Advanced System Settings
- Select Edit then enter Syslog.global.LogDir in the filter.
- Set Syslog.global.logDir to a persistent location specified as [datastorename] path_to_file where the path is relative to the datastore. For example, [datastore1] /systemlogs.
- Click OK

Alternatively, run the following PowerCLI command:

# Set Syslog.global.logDir for each host
Get-VMHost | Foreach { Set-AdvancedConfiguration -VMHost $_ -Name Syslog.global.logDir -Value "<NewLocation>" }

See Also

https://workbench.cisecurity.org/benchmarks/15334