Title

The ESXi host must offload logs via syslog. (Cat II impact)

Discussion

Remote logging to a central log host provides a secure, centralized store for ESXi logs. By gathering host log files onto a central host, it can more easily monitor all hosts with a single tool. It can also do aggregate analysis and searching to look for such things as coordinated attacks on multiple hosts. Logging to a secure, centralized log server also helps prevent log tampering and provides a long-term audit record. Satisfies: SRG-OS-000342-VMM-001230, SRG-OS-000274-VMM-000960, SRG-OS-000275-VMM-000970, SRG-OS-000277-VMM-000990, SRG-OS-000479-VMM-001990

Check Content

From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Select the "Syslog.global.logHost" value and verify it is set to a site-specific syslog server. Syslog servers are specified in the following formats: udp://<IP or FQDN>:514 tcp://<IP or FQDN>:514 ssl://<IP or FQDN>:1514 Multiple servers can also be specified when separated by commas. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost If the "Syslog.global.logHost" setting is not set to a valid, site-specific syslog server, this is a finding.

Fix Text

From the vSphere Client, go to Hosts and Clusters. Select the ESXi Host >> Configure >> System >> Advanced System Settings. Click "Edit". Select the "Syslog.global.logHost" value and configure it to a site-specific syslog server. or From a PowerCLI command prompt while connected to the ESXi host, run the following command: Get-VMHost | Get-AdvancedSetting -Name Syslog.global.logHost | Set-AdvancedSetting -Value "enter site specific servers"

Additional Identifiers

Rule ID: SV-258744r1015921_rule

Vulnerability ID: V-258744

Group Title: SRG-OS-000342-VMM-001230

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.