One of the most important factors for the overall system security is to record and monitor the activities of the users. The organization maintains their compliance with rules by maintaining an audit log of significant activities. Using audit logs, an organization verifies and detects any violations and initiates remediation activities.
Audit logs can also help the organization in detecting attempts, whether successful or not, to gain illegitimate access to the system, probe its information, or disrupt its operation.
VMware vCloud Director includes the following two types of logs:
As a vCloud system administrator, you can view the system log to monitor system-level tasks that are in progress. Also, you can find and troubleshoot failed tasks as well. You can also analyze vCloud Director logs to monitor vCloud Director cells.
As a vCloud organization administrator, you can view the log for an organization to monitor organization-level tasks that are in progress. In addition, you can find and troubleshoot failed tasks.
So essentially, we are talking about system-level and organization-level tasks.
vCloud Director provides logging information for each cloud cell in the system. You can view the logs to monitor your cells and to troubleshoot issues.
You can find the logs for a cell at /opt/vmware/cloud-director/logs
.
The following table shows the log names and their purposes:
Log name |
What the log shows |
---|---|
|
The console output from the vCloud Director cell |
|
Debug-level log messages from the cell |
|
Warnings or errors encountered by the cell |
|
When the cell crashed, restarted, and so on |
|
Diagnostics information (but this first needs to be enabled in the local logging configuration) |
|
HTTP request logs in the Apache common log format |
Apart from the diagnostics logs in the vCloud Director, you have audit logs mentioned in the preceding table as well. However, by default, these files are not forwarded to the centralized logging server. You have to manually configure the vCloud cell to forward these to the centralized logging server.
It is recommended that you configure this option for the following reasons:
It allows audit logs from all the cells to be viewed together at a central location at the same time.
Database logs are not retained after 90 days, but logs transmitted via Syslog can be retained as long as desired.
It protects the audit logs from loss on the local system due to failure, lack of disk space, compromise, and so on.
Supports forensics operations in the face of problems as those listed previously.
Logging to a remote system, instead of the system the cell is deployed on; provides data integrity by inhibiting tampering. Even if the cell is compromised, it does not necessarily enable access to or alteration of the audit log.
For enabling a centralized Syslog server in vCloud Director 5.1, follow this knowledge base article from VMware, http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1026815.