Security Audit – ESXi Persistent logging Overview

By default, the logs on VMware ESXi are stored only in the in-memory file system [scratch file], and are lost upon reboot.
There are two options to save logs so that a dedicated record of server activity is available for each host.

  • Persistent logging to local or shared storage (datastore)
  • Configure the syslog service to send logs to a remote syslog server over the network

log-sources

 

At least one option should be configured, some newer servers come with only ssd cards, so will need syslog, hardware with local disk can have a local scratch location. Another option is to use a shared storage device.*

There is a valid argument for using a remote syslog server and also saving logs to local disk. Think about this, if either the network or storage go down, you loose logs, as these will usually be involved in large scale outages, so you might want to have local logs for post-mortem. The other scenario, is a failure to local hardware, especially disk controllers or a failed raid, we had an issue with this years ago and of course there were never any logs as they were kept on the local disks.

* Take into account permissions on shared storage

 

The following PowerCLi command will show for a single host whether a logging is saved to disk [scratch log] or sent over the network to a syslog server

Get-AdvancedSetting -Entity <host name> -Name Syslog.global.logHost,Syslog.global.logDir,ScratchConfig* | Select Name,Value

 

This can also be checked from vCenter host configuration

scratchlocation

 

For mutiple hosts, save this as Get-VMhostGlobalLog.ps1

[code language=”powershell”]
$Scope = Get-VMHost
foreach ($VMHost in $Scope) {
Get-AdvancedSetting -Entity $VMHost -Name Syslog.global.logHost,ScratchConfig.CurrentScratchLocation | Select Entity,Name,Value | ft -autosize
}
[/code]

 

If you want to create a list to copy to excel remove ” | ft -autosize ” is just there to make reading easier

 


Hypervisor Persistent logging to Disk

First apply the suggested Create persistant scratch log on ESXi

Then see the blog Persistent logging size and rotation to Disk