Security Audit – Syslog Collector

Centralized logging will can be done by deploying a syslog server and using this to collect and manage logs.  An easy option is to install the syslog server bundled with the vCenter installation, in this post I’ll walk through configuration on a Windows box, an discuss some of the caveats of this approach.

This install is straightforward, and blogged about elsewhere.

What is important from an audit perspective is retention, on the syslog server check what values are configured for log size and rotation in  %PROGRAMDATA%\VMware\VMware Syslog Collector\vmconfig-syslog.xml, then and check the dates of logs stored on the syslog server to see retention period.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2021652

 

 

For example if the default setting in the vmware syslog collecter is 8 x 2 MB, how many days or weeks are being retained, – if you have a couple of service accounts, that are constantly logging in and out, VADP backup, etc, you might find you are nowhere near the sort of retention you need. And keep in mind it doesn’t matter what you set on the host, once the log is sent to syslog, the collector is boss, and the values on the collector are what matters.

 

The windows version of VMware Syslog Collector doesn’t seem the zip older files so if you set vmconfig-syslog.xml to retain 100 x 25 MB you are storing 2500 MB of files, multiple that by your hosts and it starts to grow. You might think that’s a crazy amount of logs, unfortunately it’s not, we have hosts that get through two or three 25 MB logs a day, yeap poor integration with 3rd party tools, but that’s life.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003322

 

Other approaches are to use the syslog bundled with vcsa, or install a linux server and configue the syslog service

 

Once the central syslog collector is ready each host needs to be configured to send logs to the collector.

A simple on-liner can be used

Set-VMHostSysLogServer -SysLogServer <collector IP:port> -VMHost <esxHost>

Get-VMHostSysLogServer -VMHost <esxHost>

For multiple servers here are a couple of simple scripts,

Set-SyslogCollector

[code language=”powershell”]
Write-Host “————————————————————————————————————–” `n
Write-Host “Set Syslog setting on mutiple hosts by cluster”  -ForegroundColor Yellow
Write-Host “Syslog server and port are hard coded into the script” -foregroundcolor White
Write-Host “This will make changes on all hosts in the choosen cluster” `n -foregroundcolor White
Write-Host “————————————————————————————————————–”
Write-Host “”

Get-cluster | Select Name
Write-Host “———————————————————-”

# Select hosts by cluster
$cluster = Read-Host “On which cluster do you want to set the syslog server ?”
$esxhosts = Get-Cluster  $cluster | Get-VMHost

# Hardcoded syslog host and port
$SysLogServerVar = “<syslog server ip:port>”

write-host “esxserver, syslogHost, syslogPort”
Write-Host “———————————————————-”
foreach ($esxhost in $esxhosts) {
$esxserver =$esxhost
Set-VMHostSysLogServer  -SysLogServer $SysLogServerVar -VMHost $esxhost

# Restart syslog service
$esxcli = Get-EsxCli -VMHost $esxhost
$esxcli.system.syslog.reload()
write-output “$SysLogServerVar set on $esxhost”
}
[/code]

Get-SyslogCollector

[code language=”powershell”]
Write-Host “————————————————————————————————————–” `n
Write-Host “Get Syslog setting on mutiple hosts by cluster”  -foregroundcolor White
Write-Host “————————————————————————————————————–”
Write-Host “”

$cluster = Read-Host “On which cluster do you want to  check the syslog server?”

$esxhosts = Get-Cluster  $cluster | Get-VMHost

Write-Host ” ” `n
write-host “esxserver, syslogHost, syslogPort”
Write-Host “———————————————————-”
foreach ($esxhost in $esxhosts) {
$esxserver =$esxhost
$syslogObj = Get-VMHostSysLogServer $esxhost
$syslogPort = $syslogObj.Port
$syslogHost = $syslogObj.Host
write-output “$esxserver, $syslogHost, $syslogPort”
}
[/code]