The NSX Distributed Firewall must off-load audit records onto a centralized log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-69151	VNSX-FW-000090	SV-83755r1_rule		Medium

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. This does not apply to audit logs generated on behalf of the device itself (management).

STIG	Date
VMware NSX Distributed Firewall Security Technical Implementation Guide	2016-06-27

Details

Check Text ( C-69589r1_chk )
Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. If this setting does not specify the appropriate syslog server on each ESXi host, this is a finding.

Check Text ( C-69589r1_chk )

Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter.

Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server.

If this setting does not specify the appropriate syslog server on each ESXi host, this is a finding.

Fix Text (F-75337r2_fix)
Log into vSphere Web Client with credentials authorized for administration, navigate and select the ESXi host and click "Manage" >> "Advanced System Settings", and enter "Syslog.global.logHost" in the filter. Verify the correct setting for "Syslog.global.logHost" to the hostname of your syslog server. Verify each ESXi host is set to a remote syslog server.