The VMM must support the capability to centrally review and analyze audit records from multiple components within the system by configuring remote logging.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-63477 | ESXI-06-100004 | SV-77967r1_rule | Medium |
| Description |
|---|
| Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record. |
| STIG | Date |
|---|---|
| VMware vSphere ESXi 6.0 Security Technical Implementation Guide | 2019-01-04 |
Details
| Check Text ( C-64227r1_chk ) |
|---|
| From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname. or From a PowerCLI command prompt while connected to the ESXi host run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding. |
| Fix Text (F-69407r1_fix) |
|---|
| From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host run the following commands: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value " |