Security Audit – ESXi log retention

Hypervisor Retention of Logs on Disk

Logs are not saved according to a period of time, but according to size, so once the log gets to X size a number is appended and a new log created.  The number of logs saved is the rotation – 16 rotation = 16 logs saved.

For hypervisor logs saved to disk, rotation and size is set on the hosts to the default size of 10240 KB and 16 rotations, security specific log rotation is increased to 36 rotations. A specific time period cannot be specified. This is to prevent denial of service attacks, as the logs cannot fill the disk, however if you have a issue that writes heavily to the logs you could find you are only keeping a couple of days or weeks, rather than months.

Some of the standard linux logs are not available in esxi and vary depending on version. Create an internal standard for suggested size and rotation and check back after a few months and be sure you are saving enough info.


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.