ESXI-06-000004 - Remote logging for ESXi hosts must be configured.

Information

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.

Solution

From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value '<insert syslog server hostname>'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMware_vSphere_6-0_ESXi_V1R5_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-17(1), CAT|II, CCI|CCI-000067, Group-ID|V-63177, Rule-ID|SV-77667r1_rule, STIG-ID|ESXI-06-000004, Vuln-ID|V-63177

Plugin: VMware

Control ID: 8d44877c8b1a10589d8d9980503f076ef97af4f052cf9b469a304b5feedbe138