Hi. We're doing a PCI DSS project, and we would like to get centralized logging (syslog, that is) for all attempts where users/admins mount virtual devices to the VMs, such as CD/DVD/ISO. I've tried looking in the local ESXi logs (vmkernel.log, vobd.log and such), but I can't see any log entries when mounting an ISO to a VM.
vCenter Server writes in its log "a ticket of type device has been acquired", but how do we get that to syslog?
Unfortunately vCenter, at least the Windows one, does not support sending it's logs to a syslog server. I think it's not available out-of-the-box in the Linux-based vCenter Appliance either, but you can certainly configure the underlying Linux OS to send logs to some syslog destination.
You closest you can get would be configuring SNMP traps for specific events in vCenter and have the SNMP trap destination deal with logging that or forwarding it to a syslog host.
There are 3rd party Windows syslog agents too, which you could configure to monitor the relevant vCenter logfiles.
I've tried looking in the local ESXi logs (vmkernel.log, vobd.log and such), but I can't see any log entries when mounting an ISO to a VM.
The hostd log file actually contains some information regarding such events:
Mounting an ISO:
2013-12-10T11:40:21.136+01:00 Hostd [2AFE1B90 info 'Vmsvc.vm:/vmfs/volumes/4fd988f2-654fcafae-97ab-03215ac67b3d/vm33/vm33.vmx' opID=87c4e3
6a-a9] Ticket issued for device service to user: vpxuser
Console Connection:
2013-12-10T11:38:14.396+01:00 Hostd [FFCE5B90 info 'Vmsvc.vm:/vmfs/volumes/4fd988f2-654fcafae-97ab-03215ac67b3d/vm33/vm33.vmx' opID=e5b881
c4-60] Ticket issued for mks service to user: vpxuser
This doesn't identify the actual user, but it should be possible to correlate it with the vCenter logs if needed.
Hi. Thanks for the detective work! Too bad that the actual user is being abstracted by the vpxuser account. The funny thing is that it's the exact same thing that vCloud Director does to vCenter Server, and the exact same thing vCAC does to vCloud Director. Good thing I'm not PCI DSS securing an environment that has all those three.
I just learned that the customer has an agent that we can place on the vCenter Windows server that can send Windows Event logs and/or specific text files to a "syslog" central logging server.
Unfortunately, I can't see these mount events (nor successful/failed login events) in any of these places, only in the vCenter Server internal "Events" tab, which is written to its database only, not to file.
The chase goes on. How is everyone else passing PCI DSS, when vCenter Server can't fulfill these demands?