Information
It is critical for the appropriate personnel to be aware if an ESXi host is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected.
To ensure the appropriate personnel are alerted if an audit failure occurs, a vCenter alarm can be created to trigger when an ESXi host can no longer reach its syslog server.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
From the vSphere Client, go to Hosts and Clusters >> select a vCenter Server >> Configure >> More >> Alarm Definitions.
Click 'Add'.
Provide an alarm name and description.
Select 'Hosts' from the 'Target type' dropdown menu.
Click 'Next'.
Paste 'esx.problem.vmsyslogd.remote.failure' in the line after IF and press 'Enter'.
Select 'Show as Warning' for severity.
Click 'Next'.
Configure any other options as desired, enable alarm, and finish.
Note: This alarm will only trigger if syslog is configured for TCP or SSL connections and not UDP.