The vCenter Server must be configured to send logs to a central log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-258925	VCSA-80-000148	SV-258925r934433_rule		Medium

Description
vCenter must be configured to send near real-time log data to syslog collectors so information will be available to investigators in the case of a security incident or to assist in troubleshooting.

STIG	Date
VMware vSphere 8.0 vCenter Security Technical Implementation Guide	2023-10-11

Details

Check Text ( C-62665r934431_chk )
Open the Virtual Appliance Management Interface (VAMI) by navigating to https://:5480. Log in with local operating system administrative credentials or with a Single Sign-On (SSO) account that is a member of the "SystemConfiguration.BashShellAdministrator" group. Select "Syslog" on the left navigation pane. On the resulting pane on the right, verify at least one site-specific syslog receiver is configured and is listed as "Reachable". If no valid syslog collector is configured or if the collector is not listed as "Reachable", this is a finding.

Check Text ( C-62665r934431_chk )

Open the Virtual Appliance Management Interface (VAMI) by navigating to https://:5480.

Log in with local operating system administrative credentials or with a Single Sign-On (SSO) account that is a member of the "SystemConfiguration.BashShellAdministrator" group.

Select "Syslog" on the left navigation pane.

On the resulting pane on the right, verify at least one site-specific syslog receiver is configured and is listed as "Reachable".

If no valid syslog collector is configured or if the collector is not listed as "Reachable", this is a finding.

Fix Text (F-62574r934432_fix)
Open the VAMI by navigating to https://:5480. Log in with local operating system administrative credentials or with an SSO account that is a member of the "SystemConfiguration.BashShellAdministrator" group. Select "Syslog" on the left navigation pane. On the resulting pane on the right, click "Edit" or "Configure". Edit or add the address and port of a site-specific syslog aggregator or Security Information Event Management (SIEM) system with the appropriate protocol. User Datagram Protocol (UDP) is discouraged due to its stateless and unencrypted nature. Transport Layer Security (TLS) is preferred. Click "Save".

Fix Text (F-62574r934432_fix)

Open the VAMI by navigating to https://:5480.

Log in with local operating system administrative credentials or with an SSO account that is a member of the "SystemConfiguration.BashShellAdministrator" group.

Select "Syslog" on the left navigation pane.

On the resulting pane on the right, click "Edit" or "Configure".

Edit or add the address and port of a site-specific syslog aggregator or Security Information Event Management (SIEM) system with the appropriate protocol.

User Datagram Protocol (UDP) is discouraged due to its stateless and unencrypted nature. Transport Layer Security (TLS) is preferred.

Click "Save".