Title

ESX Server is not configured to maintain a specific number of log files via log rotation. (Cat II impact)

Discussion

Virtual machines can write troubleshooting information into a virtual machine log file (vmware.log) stored on the VMFS volume. Virtual machine users and processes may be configured to abuse the logging function, either intentionally or inadvertently so that large amounts of data flood the log file. Over time, the log file can consume so much of the ESX Server’s file system space that it fills the hard disk, causing an effective denial of service on the ESX Server.

Check Content

1. Login to VirtualCenter with the VI Client and select the virtual machine from the Inventory panel. The configuration page for the virtual machine appears with the Summary tab displayed. 2. Click Edit Settings. 3. Click Options > General and make a record of the path displayed in the virtual machine configuration file field. 4. At the ESX Server service console, change directories to access the virtual machine configuration file recorded in step 3. 5. Virtual machine configuration files are located in the /vmfs/volumes/(datastore) directory, where (datastore) is the name of the storage device on which the virtual machine files reside. In example above, [vol1]vm-finance/vm-finance.vmx is located in /vmfs/volumes/vol1/vm-finance/. 6. To verify the number of log files has been configured, perform the following: # grep –i log.keepOld (virtual machine name).vmx If log.keepOld=(number of files to keep) is not configured to 6 or higher, this is a finding. The default number of files to keep is 6 where the oldest ones are deleted and new ones are created.

Fix Text

Configure the ESX Server to limit the number of logs retained.

Additional Identifiers

Rule ID: SV-16850r1_rule

Vulnerability ID: V-15908

Group Title: ESX Server is not configured for log rotation

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.