The NSX Manager must off-load audit records onto a different system or media than the system being audited.

From VMware NSX Manager Security Technical Implementation Guide

Associated with: CCI-001851

SV-83813r1_rule The NSX Manager must off-load audit records onto a different system or media than the system being audited.

Vulnerability discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check content

Verify NSX Manager audit records are off-loaded to a different system. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol. If audit records are not configured and are not off-loaded to a different system, this is a finding. Note: TCP is the preferred protocol configuration to protect against network outages and queues logs locally until network connection is restored to a centralized server.

Fix text

Change the logs in NSX Manager to send to a centralized server for use as part of the organization's security incident tracking and analysis. Log on to NSX Manager with credentials authorized for administration, navigate and select Manage Appliance Settings >> Syslog Server >> Edit. Enter name or IP of the Syslog Server, Port, and Protocol.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.