Rsyslog must be configured to monitor VAMI logs.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239722 | VCLD-67-000014 | SV-239722r816793_rule | Medium |
| Description |
|---|
| For performance reasons, rsyslog file monitoring is preferred over configuring VAMI to send events to a syslog facility. Without ensuring that logs are created, that rsyslog configs are created, and that those configs are loaded, the log file monitoring and shipping will not be effective. Satisfies: SRG-APP-000125-WSR-000071, SRG-APP-000358-WSR-000063, SRG-APP-000358-WSR-000163 |
| STIG | Date |
|---|---|
| VMware vSphere 6.7 VAMI-lighttpd Security Technical Implementation Guide | 2022-01-03 |
Details
| Check Text ( C-42955r816792_chk ) |
|---|
| Note: The below command must be run from a bash shell and not from a shell generated by the "appliance shell". Use the "chsh" command to change the shell for the account to "/bin/bash". At the command prompt, execute the following command: # grep -v "^#" /etc/vmware-syslog/stig-services-vami.conf Expected result: input(type="imfile" File="/opt/vmware/var/log/lighttpd/access.log" Tag="vami-access" Severity="info" Facility="local0") If the file does not exist, this is a finding. If the output of the command does not match the expected result above, this is a finding. |
| Fix Text (F-42914r679275_fix) |
|---|
| Navigate to and open /etc/vmware-syslog/stig-services-vami.conf. Create the file if it does not exist. Set the contents of the file as follows: input(type="imfile" File="/opt/vmware/var/log/lighttpd/access.log" Tag="vami-access" Severity="info" Facility="local0") |