UCF STIG Viewer Logo

The VMM must off-load audit records onto a different system or media than the system being audited by configuring remote logging.


Overview

Finding ID Version Rule ID IA Controls Severity
V-63915 ESXI-06-400004 SV-78405r1_rule Medium
Description
Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and also provides a long-term audit record.
STIG Date
VMware vSphere ESXi 6.0 Security Technical Implementation Guide 2019-01-04

Details

Check Text ( C-64665r1_chk )
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and verify it is set to a site specific syslog server hostname.

or

From a PowerCLI command prompt while connected to the ESXi host run the following command:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost

If the Syslog.global.logHost setting is not set to a site specific syslog server, this is a finding.
Fix Text (F-69843r1_fix)
From the vSphere Client select the ESXi Host and go to Configuration >> Advanced Settings. Select the Syslog.global.logHost value and configure it to a site specific syslog server.

or

From a PowerCLI command prompt while connected to the ESXi host run the following commands:

Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value ""