VCSA-70-000148 - The vCenter Server must be configured to send logs to a central log server.

Information

vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a security incident or to assist in troubleshooting.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Open the VAMI by navigating to https://<vCenter server>:5480.

Log in with local operating system administrative credentials or with an SSO account that is a member of the 'SystemConfiguration.BashShellAdministrator' group.

Select 'Syslog' on the left navigation pane.

On the resulting pane on the right, click 'Edit' or 'Configure'.

Edit or add the address and port of a site-specific syslog aggregator or Security Information Event Management (SIEM) system with the appropriate protocol.

User Datagram Protocol (UDP) is discouraged due to its stateless and unencrypted nature. Transport Layer Security (TLS) is preferred.

Click 'Save'.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_7-0_Y24M01_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-256339r885628_rule, STIG-ID|VCSA-70-000148, Vuln-ID|V-256339

Plugin: VMware

Control ID: e486a3e4cb6e4353820b76ffd58bb6e7f0db0cdf11e72ccfa3c1677d0d3ca7aa