Details
ESXi can be configured to store log files on an in-memory file system. This occurs when the host’s Syslog.global.LogDir property is set to a non-persistent location, such as /scratch. When this is done, only a single day’s worth of logs are stored at any time. Additionally, log files will be reinitialized upon each reboot.
Rationale:
Non-persistent logging presents a security risk because user activity logged on the host is only stored temporarily and will not be preserved across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host logging should always be configured to a persistent datastore.
Solution
To configure persistent logging properly, perform the following from the vSphere web client:
Select the host
Click Configure then expand System then select Advanced System Settings.
Select Edit then enter Syslog.global.LogDir in the filter.
Set Syslog.global.logDir to a persistent location specified as [datastorename] path_to_file where the path is relative to the datastore. For example, [datastore1] /systemlogs.
Click OK.
Alternatively, run the following PowerCLI command:
# Set Syslog.global.logDir for each host
Get-VMHost | Foreach { Set-AdvancedConfiguration -VMHost $_ -Name Syslog.global.logDir -Value ‘
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability, System and Information Integrity.This control applies to the following type of system VMware.