Information
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs.
Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224
Solution
Open /etc/vmware-syslog/syslog.conf with a text editor.
Remove any existing content and create a new remote server configuration line.
For UDP (*.* or AO approved logging events):
*.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format
For TCP (*.* or AO approved logging events):
*.* @@<syslog server>:port;RSYSLOG_syslogProtocol23Format
OR
Navigate to https://<hostname>:5480 to access the VAMI.
Authenticate and navigate to 'Syslog Configuration'.
Click 'Edit' in the top right.
Configure a remote syslog server and click 'OK'.