PHTN-67-000040 - The Photon operating system must configure rsyslog to offload system logs to a central server.

Information

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Proper configuration of rsyslog ensures that information critical to forensic analysis of security events is available for future action without any manual offloading or cron jobs.

Satisfies: SRG-OS-000205-GPOS-00083, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107, SRG-OS-000479-GPOS-00224

Solution

Open /etc/vmware-syslog/syslog.conf with a text editor.

Remove any existing content and create a new remote server configuration line.

For UDP (*.* or AO approved logging events):

*.* @<syslog server>:port;RSYSLOG_syslogProtocol23Format

For TCP (*.* or AO approved logging events):

*.* @@<syslog server>:port;RSYSLOG_syslogProtocol23Format

OR

Navigate to https://<hostname>:5480 to access the VAMI.

Authenticate and navigate to 'Syslog Configuration'.

Click 'Edit' in the top right.

Configure a remote syslog server and click 'OK'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-2(4), 800-53|AU-4(1), 800-53|SI-11a., CAT|II, CCI|CCI-001312, CCI|CCI-001683, CCI|CCI-001684, CCI|CCI-001685, CCI|CCI-001686, CCI|CCI-001851, Rule-ID|SV-239112r856041_rule, STIG-ID|PHTN-67-000040, Vuln-ID|V-239112

Plugin: Unix

Control ID: c8e4123ea961bb0b5b34c8fd57ad4d27f65b2ccc398a864f1b20898e27b935e5