Appendix B: Compliance Considerations : vCloud Director Diagnostic and Audit Logs
   
vCloud Director Diagnostic and Audit Logs
VMware vCloud Director includes the following types of logs:
*Audit logs that are maintained in the database, and optionally, in a syslog server.
*Diagnostic logs that are maintained in each vCloud Director cell’s log directory.
The VMware vCloud Director system audit log is maintained in the Oracle database and can be monitored through the Web UI. Each organization administrator and the system administrator have a view into the log scoped to their specific area of control. A more comprehensive view of the audit log (and long-term persistence) is achieved through the use of remote syslog (described below). Log management products are available from a variety of vendors and open source projects.
Audit events are not the only event types. Diagnostic logs contain information about system operation events and are stored as files in the local file system of each cell’s operating system.
Diagnostic logs can be useful for problem resolution, but are not intended to preserve a trail of system interactions for audit. Each VMware vCloud Director cell creates several diagnostic log files, as described in the “Viewing the vCloud Director Logs” section of the VMware vCloud Director Administration Guide for the latest version of VCD (http://www.vmware.com/support/pubs/vcd_pubs.html).
Audit logs record significant actions, including login and logout. A syslog server can be set up during installation as detailed in the vCloud Director Installation and Configuration Guide (http://www.vmware.com/support/pubs/vcd_pubs.html). Exporting the logs to a syslog server is required for compliance due to multiple reasons:
*Database logs are not retained after 90 days, but logs transmitted via syslog can be retained as long as desired.
*It allows audit logs from all cells to be viewed together in a central location at the same time.
*It protects the audit logs from loss on the local system due to failure, a lack of disk space, compromise, and so on.
*It supports forensics operations in the face of problems such as those listed above.
*It is the method by which many log management and Security Information and Event Management (SIEM) systems integrate with vCloud Director. This enables:
*Correlation of events and activities across vCloud Director, vCloud Networking and Security, vSphere, and even the physical hardware layers of the stack.
*Integration of vCloud security operations with the rest of the vCloud provider’s or enterprise’s security operations, cutting across physical, virtual, and vCloud infrastructures.
*Logging to a remote system, instead of the system the cell is deployed on, provides data integrity by inhibiting tampering. Even if the cell is compromised it does not necessarily enable access to or alteration of the audit log.