• The IT security team is asking for kernel audit logs from vCenter, and they need to be provided via syslog.
• vCenter is already configured to send logs to a remote syslog server.

vSphere vCenter

Default settings do not include a syslog forwarder for auditd on vCenter.

The logs reside in /var/log/audit/* and are included in a full log bundle for an initial look, but forwarding can  be enabled:

1. ssh to the vCenter as root
2. create a vmware identified conf file using the below command:
   vim /etc/vmware-syslog/vmware-services-auditd.conf
3. Add the following data to the newly created file:
   input(type="imfile"
File="/var/log/audit/audit.log"
Tag="suditid"
Severity="info"
Facility="local0"
deleteStateOnFileDelete="on"
reopenOnTruncate="on")
4. Save the content and lose the file. (type "[Esc]:wq!" without the quotes, "[Esc] is the escape key.
5. Restart the resyslog serverice using the below commands:
   systemctl daemon-reload
systemctl restart rsyslog
   
   

These changes should now stream the '/var/log/audit/audit.log' file to the remote server configured. 

See "Collecting Log Files" for more info.

See "Forward vCenter Server Log Files to Remote Syslog Server"

*Note it is not currently possible to send a specific facility to one log server, and another to another. All facilities that are enabled are sent to all configured remote syslog servers. Filtering must be done on the receiving side.