Excessive logging and log exhaustion when applying vCenter pgaudit log STIG [VCPG-80-000007]
search cancel

Excessive logging and log exhaustion when applying vCenter pgaudit log STIG [VCPG-80-000007]

book

Article ID: 388887

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi 8.0 VMware vCenter Server 8.0

Issue/Introduction

  • Enabled audit logging for PostgreSQL [VCPG-80-000007]
  • Large deployments or environments with many integrations with vCenter that generate events.
  • Exhausting disk space on the log partition "/var/log"
  • Large file size with many Audit Events in  "/var/log/vmware/postgresql.log"

Environment

vCenter 8
vSphere 8

Cause

Enabling audit logging for PostgreSQL can exhaust disk space on the log partition in large deployments or environments with many integrations with vCenter that generate events.

The pgaudit parameters have been tuned to reduce log generation for certain events in a future STIG release

Resolution

Apply the updated guidance for VCPG-80-000007 from public.cyber.mil (latest official releases).

or

Update the /storage/db/vpostgres/stig.conf file and remove the existing pgaudit.log* statements and add the following:

  • pgaudit.log_catalog = off
  • pgaudit.log_parameter = off
  • pgaudit.log_relation = off
  • pgaudit.log_statement = off
  • pgaudit.log = 'all, -misc, -read'

These steps assume the /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py --action stig_enable --pg-data-dir /storage/db/vpostgres script has already been ran.

Restart PostgreSQL by running vcsa# vmon-cli --restart vmware-vpostgres for the changes to take effect.

or 

Disable [VCPG-80-000007] to increase disk space for logging and then re-enable.

Notes

To disable [VCPG-80-000007]:

vcsa#  /opt/vmware/vpostgres/current/bin/vmw_vpg_config/vmw_vpg_config.py --action stig_disable --pg-data-dir /storage/db/vpostgres

To truncate a large log file and retain permissions, services must be stopped to stop writing to the log file.

  1. Backup the file to a remote system if desired or needed.
  2. Stop services:
    vcsa# service-control --stop --all
  3. Truncate the Log file:
    vcsa_logdirectory# echo > filename.log
  4. Restart Services:
    vcsa# service-control --start --all

Additional Information

Harden a VMware product [Support for Security Technical Implementation Guides (STIGs)] using the latest guidance found in an Official DISA STIG or VMware STIG Readiness Guide when guidance is available for that specific product and version.

Powered by Wolken Software