VMware Cloud Community
rfs42
Contributor
Contributor
‎05-26-2015 10:01 AM

How to audit datastore access

I've always assumed that VMWare would audit datastore access like VMDK downloads and copies.  But having run some tests on ESXi 5.5 with vCenter we don't believe anything is being recorded by syslog or in the Events or Tasks tables.  I can't believe that something as critical to security as copies and downloads of virtual disks would not be audited. 

I also don't see anything logged when mounting ISOs or local devices for VM CD-ROMs.  Another big security event.

Can anyone one tell me if this is logged anywhere?  Can you show me examples or direct me where to find it?

4 Replies
CoolRam
Expert
Expert
‎05-26-2015 10:44 AM

Once we configure the syslog server and we enable the logging in ESXi than everything get logged in the syslog server.

If you find any answer useful. please mark the answer as correct or helpful.
0 Kudos
rfs42
Contributor
Contributor
‎05-26-2015 11:16 AM

Actually, as I pointed out earlier.  This activity is NOT logged to syslog.  We know that much.  We are capturing the syslogs and there's no mention of the VMDK file name downloaded in tests.

JCMorrissey
Expert
Expert
‎05-27-2015 09:09 AM

Hi,

Just checking - did you enable "trivia (extended verbose)" logging to see if its picked up there?

See

VMware vSphere 5.1

Please consider marking as "helpful", if you find this post useful. Thanks!... http://johncmorrissey.wordpress.com/
0 Kudos
decool
Contributor
Contributor
‎02-08-2016 05:46 AM

There are any other Solutions? I want to Audit Downloads from my Datastores.

0 Kudos