2.5.9.2 Logging in vCloud Director for Service Providers
vCloud Director for Service Providers includes two types of logs:
• Diagnostic logs that are maintained in each cell’s log directory
• Audit logs that are maintained in the database, and optionally, in a syslog server
Diagnostic logs can be useful for problem resolution but are not intended to preserve an audit trail of significant system interactions. Each vCloud Director for Service Providers cell creates several diagnostic log files described in the “Viewing the vCloud Director for Service Providers Logs” section of the
VMware vCloud Director for Service Providers Administrator’s Guide.The audit logs, on the other hand, do record significant actions, including login and logout. As detailed in the
VMware vCloud Director for Service Providers Installation Guide, a syslog server can be set up during installation. Exporting logs to a syslog server is recommended for multiple reasons:
• Database logs are not retained after 90 days, while logs transmitted through syslog can be retained as long as desired.
• It allows audit logs from all cells to be viewed together in a central location at the same time.
• It protects the audit logs from loss on the local system due to failure, a lack of disk space, compromise, and so on.
• It supports forensics operations in the face of problems like those listed in the previous bullet.
• It is the method by which many log management and SIEM systems will integrate with vCloud Director for Service Providers. This allows:
o Correlation of events and activities across vCloud Director for Service Providers, NSX for vSphere, VMware vCloud Networking and Security™, vSphere platform, and even the physical hardware layers of the stack.
o Integration of cloud security operations with the rest of the cloud provider’s or enterprise’s security operations, cutting across physical, virtual, and cloud infrastructures.
• Logging to a remote system other than the system the cell is deployed on inhibits tampering with the logs. A compromise of the cell does not necessarily enable access to or alteration of the audit log information.
If you did not set up a syslog destination for logging at initial install time, you can configure it later by going to each cell, editing the $VCLOUD_HOME/etc/global.properties file, and restarting the cell.
The appropriate ports (514/UDP) must also be open from the vCloud Director for Service Providers host to the syslog server and properly configure the syslog server (which may be part of a larger log management or SIEM solution). The syslog server configuration details are system specific and outside the scope of this document. VMware recommends that the syslog server be configured with redundancy so that essential events are always logged.
This discussion covers only sending the audit log to a syslog server. Security Operations and IT Operations organizations might also benefit from the centralized aggregation and management of the diagnostic logs. There are a variety of methods for collecting those logs, including scheduling a job to periodically copy the logs to a centralized location, setting an additional logger in the log4j.properties file ($VCLOUD_HOME/etc/log4j.properties) to a central syslog server, or using a log-collection utility to monitor and copy the log files to a centralized location. The configuration of these options is dependent on which system you prefer to use in your environment and is outside the scope of this document.