Security Audit – vCenter logs retention and extract

As vCenter access is a entry control point, failure to produce logon events will be a major failure in the audit.

vSphere vCenter should be configured to save logs for at lease 90 days or longer depending on your stated policy.

If you have a sizeable environment you probably want to limit the size of the vCenter database, (run an SQL report or the oracle equivalent and check the table usage, if you are seeing lots of task and events then make sure this box is set.

vCenter Inventory -> vCenter Server Settings -> Database Retention Policy

 

Besides this check the backup retention policy on the vCenter database, be sure that a restore can be done that will allow you the look back at least 90 days.

 

Be ready to extract user access and actions on vCenter in your first meeting, typically for admins, generic and emergency accounts.

vCenter – > File _> Export Events = Set filter to User and Information (remove the others)

File Name and path = /<path>/xxx.csv

Set the Time = 91 days

export events