VCSA-70-000280 - The vCenter server must be configured to send events to a central log server.

Information

vCenter server generates volumes of security-relevant application-level events. Examples include logins, system reconfigurations, system degradation warnings, and more. To ensure these events are available for forensic analysis and correlation, they must be sent to the syslog and forwarded on to the configured Security Information and Event Management (SIEM) system and/or central log server.

The vCenter server sends events to syslog by default, but this configuration must be verified and maintained.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

From the vSphere Client, go to Host and Clusters.

Select a vCenter Server >> Configure >> Settings >> Advanced Settings.

Click 'Edit Settings' and configure the 'vpxd.event.syslog.enabled' setting to 'true'.

or

From a PowerCLI command prompt while connected to the vCenter server, run the following command:

Get-AdvancedSetting -Entity <vcenter server name> -Name vpxd.event.syslog.enabled | Set-AdvancedSetting -Value true

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-256360r885691_rule, STIG-ID|VCSA-70-000280, Vuln-ID|V-256360

Plugin: VMware

Control ID: f235f4d2943e7432cda6ff25fc0525399606bcf8bbe9279903bfaadd41436849