Information Technology Reference
In-Depth Information
As you'll see in the section “Managing vCenter Server Permissions,” vCenter Server offers
greater l exibility than managing individual ESXi hosts.
The last area of ESXi host security we'll discuss pertains to the third A in the AAA model:
accounting—in other words, logging. Let's take a closer look at how to handle logs for your ESXi
hosts.
Confi guring ESXi Host Logging
Capturing information in the system logs is an important aspect of computer and network secu-
rity. The system logs provide a record, or an accounting, of the actions performed, the events
encountered, the errors experienced, and the state of the ESXi host and the VMs on that host.
Every ESXi host runs a syslog daemon (service) that captures events and logs them for future
reference. Assuming that you've installed ESXi onto some local disks, the default location for the
logs is a 4 GB scratch partition that the ESXi installer creates. Although this provides long-term
storage for the ESXi host logs, there is no centralized location for them, making analysis of the
logs more difi cult than it should be. An administrator would have to connect to each host indi-
vidually to review the logs for that host.
Further, if you are booting from SAN or if you are using vSphere Auto Deploy, there is no
local scratch partition, and logs are stored in memory on the ESXi host—which means they dis-
appear when the ESXi host is restarted. Clearly, this is not an ideal coni guration. Not only does
it lack centralized access to the logs, but it also lacks long-term storage for the logs.
The typical solution to both of these issues is a third-party syslog server, a server that runs
a syslog daemon and is prepared to accept the log entries from the various ESXi hosts. To make
things easier, VMware supplies a syslog collector with vSphere 5 in three different forms:
As a service you can install onto a Windows Server-based computer
◆
As a service preinstalled on the vCenter Server virtual appliance
◆
◆
As part of the vMA's built-in syslog daemon
In Chapter 4 we show you how to install the VMware Syslog Collector on a Windows Server-
based computer and how to coni gure your ESXi hosts to send their logs to this centralized sys-
log service.
Reviewing Other ESXi Security Recommendations
In addition to all the security recommendations we've made so far with regard to ESXi hosts,
there are some other recommended practices that you should follow:
Set a root password for the ESXi host. You can set the root password, if it has not already
been set, via the server's console by pressing F2. More information on working with the
ESXi console is available in Chapter 2.
◆
Use host proi les in vCenter Server. Host proi les can help ensure that the coni guration of
the ESXi hosts does not drift or change from the settings specii ed in the host proi le. We
discussed host proi les in Chapter 3, “Installing and Coni guring vCenter Server.”
◆
◆
Enable lockdown mode for your ESXi hosts. Enabling lockdown mode disables console-
based user access and direct access via the vSphere Client. Root access via the vMA is also
restricted.
Now that you've looked at the various ways to secure your ESXi hosts, it's time to move on to
securing vCenter Server, the second major component in your vSphere environment.
