The ESXi host must centrally review and analyze audit records from multiple components within the system by configuring remote logging.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-239330	ESXI-67-100004	SV-239330r674919_rule		Medium

Description
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record. Satisfies: SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280

Description

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record. Satisfies: SRG-OS-000051-VMM-000230, SRG-OS-000058-VMM-000270, SRG-OS-000059-VMM-000280

STIG	Date
VMware vSphere 6.7 ESXi Security Technical Implementation Guide	2021-03-17

Details

Check Text ( C-42563r674917_chk )
From the vSphere Client, select the ESXi host and go to Configuration >> Advanced Settings. Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost \| Get-AdvancedSetting -Name Syslog.global.logHost If the "Syslog.global.logHost" value is not set to a site-specific syslog server, this is a finding.

Check Text ( C-42563r674917_chk )

From the vSphere Client, select the ESXi host and go to Configuration >> Advanced Settings.

Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server hostname.

or

From a PowerCLI command prompt while connected to the ESXi host, run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost

If the "Syslog.global.logHost" value is not set to a site-specific syslog server, this is a finding.

Fix Text (F-42522r674918_fix)
From the vSphere Client, select the ESXi host and go to Configuration >> Advanced Settings. Select the "Syslog.global.logHost" value and configure it to a site-specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host, run the following commands: Get-VMHost \| Get-AdvancedSetting -Name Syslog.global.logHost \| Set-AdvancedSetting -Value ""