Enable the Transmission of Audit Records to a Remote Host with ESXCLI
You can use ESXCLI to configure transmitting audit records to a remote host.
For audit events, you should use syslog with
either TCP on port 514 or TLS on port 1514. To use unencrypted syslog, you must
prefix the entry with tcp://
. To use encrypted syslog through the
TLS protocol, you must prefix the entry with ssl://
. For security
reasons, you should use the TLS protocol for communications. To use the TLS
protocol, you must load a public CA certificate onto ESXi that is suitable for the syslog server.
You can specify multiple syslog servers, separated by commas.
Audit records are transmitted to a remote host as
RFC-compliant syslog messages. Audit records have an RFC-specific prefix in the
<NNN>
format, where
NNN is a packaged value representing the facility and
severity, calculated as (8 * facility) + severity
. The audit
facility
number is 13, and a typical severity is
info
, whose number is 6. By using the formula, the value of
NNN for an informational audit message is 110, for an audit
notice the value is 109, and for an audit error the value is 107.
The following example configures a firewall
to permit outbound syslog access, enables remote audit logging, sets the syslog
server, and clears the syslog configuration. Specify one of the options listed in
Connection Options for ESXCLI Host Management Commands
in place of <conn_options>
.