I've always assumed that VMWare would audit datastore access like VMDK downloads and copies. But having run some tests on ESXi 5.5 with vCenter we don't believe anything is being recorded by syslog or in the Events or Tasks tables. I can't believe that something as critical to security as copies and downloads of virtual disks would not be audited.
I also don't see anything logged when mounting ISOs or local devices for VM CD-ROMs. Another big security event.
Can anyone one tell me if this is logged anywhere? Can you show me examples or direct me where to find it?
Once we configure the syslog server and we enable the logging in ESXi than everything get logged in the syslog server.
Actually, as I pointed out earlier. This activity is NOT logged to syslog. We know that much. We are capturing the syslogs and there's no mention of the VMDK file name downloaded in tests.
Just checking - did you enable "trivia (extended verbose)" logging to see if its picked up there?