The NSX Manager must be configured to send logs to a central log server.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-265348	SRG-APP-000515-NDM-000325	NMGR-4X-000087	SV-265348r994267_rule	2024-12-13	1

Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-APP-000515-NDM-000325, SRG-APP-000357-NDM-000293, SRG-APP-000516-NDM-000350

ℹ️ Check
From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and verify the Syslog servers listed. or From an NSX Manager shell, run the following command: > get logging-servers Note: This command must be run from each NSX Manager as they are configured individually. If no logging severs are configured or unauthorized logging servers are configured, this is a finding. If the log level is not set to INFO, this is a finding.

ℹ️ Check

From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and verify the Syslog servers listed. or From an NSX Manager shell, run the following command: > get logging-servers Note: This command must be run from each NSX Manager as they are configured individually. If no logging severs are configured or unauthorized logging servers are configured, this is a finding. If the log level is not set to INFO, this is a finding.

✔️ Fix
To configure a profile to apply syslog servers to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then under "Syslog Servers" click "Add". Enter the syslog server details and choose "Information" for the log level and click "Add". or (Optional) From an NSX Manager shell, run the following command to clear any existing incorrect logging-servers: > clear logging-servers From an NSX Manager shell, run the following command to configure a udp/tcp syslog server: > set logging-server <server-ip or server-name> proto <tcp or udp> level info From an NSX Manager shell, run the following command to configure a TLS syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX Manager shell, run the following command to configure an LI-TLS syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /image/vmware/nsx/file-store on each NSX-T Manager appliance.

✔️ Fix

To configure a profile to apply syslog servers to all NSX Manager nodes, do the following: From the NSX Manager web interface, go to System >> Fabric >> Profiles >> Node Profiles. Click "All NSX Nodes" and then under "Syslog Servers" click "Add". Enter the syslog server details and choose "Information" for the log level and click "Add". or (Optional) From an NSX Manager shell, run the following command to clear any existing incorrect logging-servers: > clear logging-servers From an NSX Manager shell, run the following command to configure a udp/tcp syslog server: > set logging-server <server-ip or server-name> proto <tcp or udp> level info From an NSX Manager shell, run the following command to configure a TLS syslog server: > set logging-server <server-ip or server-name> proto tls level info serverca ca.pem clientca ca.pem certificate cert.pem key key.pem From an NSX Manager shell, run the following command to configure an LI-TLS syslog server: > set logging-server <server-ip or server-name> proto li-tls level info serverca root-ca.crt Note: If using the protocols TLS or LI-TLS to configure a secure connection to a log server, the server and client certificates must be stored in /image/vmware/nsx/file-store on each NSX-T Manager appliance.