UCF STIG Viewer Logo

ESX Server log files are not reviewed daily.


Finding ID Version Rule ID IA Controls Severity
V-15841 ESX0420 SV-16782r1_rule ECAT-1 ECAT-2 Medium
Logs form a recorded history or audit trail of the ESX Server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together information if an investigation is required. Without this recorded history, potential attacks and suspicious activity will go unnoticed. ESX Server log files that are critical to record include VMkernel, VMkernel warnings, VMkernel summary, ESX Server host agent, virtual machines, VI Client agent,Web Access, service console, and authentication. The VMkernel logs record activities related to the virtual machines and the ESX Server. The VMkernel warning log file records activities with the virtual machines. The VMkernel summary is used to determine uptime and availability statistics for the ESX Server. The ESX Server host agent log contains information on the agent that manages and configures the ESX Server host. This log may assist in diagnosing connection problems. The virtual machine log files contain information when a virtual machine crashes or shutdowns abnormally. The VI Client agent is installed on each managed ESX Server and this log records all the activities of the agent. Web Access records information on web-based access to the ESX Server. This is important to view since web-based access to the ESX Server should be disabled. The service console messages contain all general log messages used to troubleshoot virtual machines or the ESX Server. The authentication log contains records of connections that require authentication.
VMware ESX 3 Policy 2016-05-03


Check Text ( C-16187r1_chk )
Ask the IAO/SA how often they review the ESX Server log files listed below:

VMkernel warnings:
VMkernel summary:
ESX Server host agent log:
Individual virtual machine logs:
VI Client agent log:
Web access:
Service console:
Authentication log:

Caveat: If the log files are being written to a syslog server, work with the system administrator to verify they are being reviewed there.

If the IAO/SA does not review them daily, this is a finding.
Fix Text (F-15795r1_fix)
Review ESX Server log files daily.