ISO 27001, the global standard for information security management systems (ISMS), mandates strict audits and controls to protect the confidentiality, integrity, and availability of corporate data. One of the most critical pillars of these controls is monitoring and recording (logging) all events occurring within systems. ISO 27001:2022 Annex-A controls, specifically A.8.15 (Logging) and A.8.16 (Monitoring), require organizations to record system activities, analyze them, and protect log integrity.
The virtualization layer, which lies at the heart of corporate IT infrastructures, is one of the primary targets for cyber attackers. Unauthorized access, virtual machine deletions, or configuration changes carried out in VMware vSphere (ESXi hosts and vCenter Server) environments carry risks significant enough to halt all business processes. Therefore, logging the VMware infrastructure in compliance with ISO 27001 standards is vital for both regulatory compliance and operational security. In this guide, we will discuss step-by-step how to establish an ISO 27001 compliant logging architecture in VMware environments.
ISO 27001 Logging Controls and VMware Requirements
When designing a logging infrastructure in a VMware environment for ISO 27001 compliance, the core expectations of the standard must be met. These expectations are as follows:
- Comprehensive Recording: Who, when, from which device, and what action was performed (User, Timestamp, Source IP, Action) must be recorded clearly.
- Log Integrity and Protection (Tamper-proofing): Deletion or modification of log records by unauthorized persons must be prevented. For this purpose, logs must be forwarded in real-time to a central log server (Syslog/SIEM) instead of local disks.
- Access Control: Access to log records should be restricted only to authorized security analysts.
- Backup and Retention Period: Logs must be archived securely in accordance with legal requirements and corporate policies (usually at least 1 or 2 years).
Step-by-Step VMware ESXi Host Log Configuration
VMware ESXi hosts store logs on their local disks (scratch partition) by default. However, this situation causes logs to be lost in case of disk failures or cyber attacks. For ISO 27001 compliance, ESXi hosts must forward their logs to a central Syslog or SIEM server.
1. Defining the Syslog Server
To define a central log server on an ESXi host, the vSphere Client or CLI can be used.
Configuration via vSphere Client:
- Log in to the vSphere Client and select the relevant ESXi host.
- Go to the Configure tab and click on Advanced System Settings under System.
- Click the Edit button in the upper right corner and type
Syslog.global.logHostin the search box. - Enter the IP address or FQDN of your Syslog server with the protocol and port in the value field (e.g.,
udp://192.168.10.50:514orssl://siem.company.local:1514). - Save the changes.
2. Configuring Firewall Settings
In order for the ESXi host to send syslog traffic externally, the syslog port must be opened in the local firewall rules.
- While the ESXi host is selected, go to the Configure -> System -> Firewall tab.
- Click the Edit button to edit firewall rules.
- Find the rabbitmq or syslog rule and check the box next to it to allow traffic.
3. Restarting the Syslog Service
For the configuration to become active, the syslog service must be restarted.
- Go to the Configure -> System -> Services tab on the ESXi host.
- Select the Syslog service and click Restart.
- Set the service startup policy to "Start and stop with host".
vCenter Server Logging and Event Management
vCenter Server is the management center of the virtual infrastructure. Logging critical activities such as user logins, role definitions, VM creation/deletion occurring on vCenter is one of the issues that ISO 27001 audits emphasize the most.
To forward vCenter Server Appliance (VCSA) logs to the central SIEM system:
- Log in to the vCenter Server Management Interface (VAMI) via port 5480 (e.g.,
https://vcenter.company.local:5480). - Click on the Syslog tab from the left menu.
- Click Configure or Edit to add a new syslog target (SIEM/Syslog server).
- Complete the configuration by entering the server address, protocol (TLS/TCP/UDP), and port information. For ISO 27001 compliance, it is highly recommended to use the TLS (SSL) protocol for secure transmission of logs.
Log Integrity and SIEM Integration
A SIEM (Security Information and Event Management) integration is essential for making sense of collected VMware logs, applying correlation rules, and instantly detecting cybersecurity incidents. The SIEM system must analyze logs from ESXi and vCenter and generate instant alerts in the following cases:
- Failed login attempts to vCenter or ESXi hosts (Brute Force attack signals).
- Unauthorized deletion, stopping, or cloning of virtual machines.
- Privilege escalation or creation of a new administrator account.
- Modification of ESXi host firewall rules.
To establish an ISO 27001 compliant, real-time cyber threat detecting, and legally verifiable logging structure in your organization, you can benefit from our SIEM and Security Incident Management Integration services.
Additionally, to perform general security hardening of your virtualization layer and isolate your virtual machines and network, you can examine our VMware, Hyper-V and Proxmox Deployment Service solutions.
To plan your information security processes, legal compliance steps, and IT infrastructure investments from end to end according to ISO 27001 standards, you can work with our experts within the scope of our Business and Management Consulting services.
You can review our other technical guides that will strengthen your virtualization and information security infrastructure:
- For detailed audit records at the ESXi host level: VMware ESXi Audit Log and ISO 27001 Compliance
- For virtual infrastructure monitoring and performance tracking: ISO 27001 VMware Monitoring Methods
- For security of the vCenter management layer: vCenter Security and ISO 27001 Compliance
- For access authorization in the virtualization layer: ISO 27001 VMware Authorization Standards
- For ESXi host hardening steps: VMware ESXi Hardening Guide and ISO 27001
- For disk encryption requirements of virtual machines: VMware Datastore Encryption and ISO 27001
- For virtual isolation techniques at the network level: ISO 27001 VMware Network Isolation
- For logging requirements in virtual environments under KVKK: How to Configure VMware Logging for KVKK?
- For logging obligations under Law No. 5651: What is 5651 Logging, and for Whom is it Mandatory?
- For SIEM, Syslog, and legal logging architectures: SIEM, Syslog, and 5651 Correct Architecture Design
To make your VMware virtualization infrastructure fully compliant with ISO 27001 and KVKK standards, and integrate your central logging and SIEM systems, you can contact us at any time.
Frequently Asked Questions
Is keeping VMware logs on local disks accepted in ISO 27001 audits?
No, it is not accepted. ISO 27001 auditors require the protection of log integrity (tamper-proofing). If logs are kept on local disks, an authorized administrator or an attacker who has infiltrated the system can easily modify or delete logs to erase their tracks. Therefore, it is mandatory to forward logs in real-time to a central Syslog/SIEM server closed to unauthorized access.
Which protocol should be preferred in VMware vCenter syslog transfer?
In accordance with ISO 27001 standards, encryption of sensitive data transmitted over the network is recommended. Since log records contain sensitive information such as usernames, IP addresses, and system details, they should be transmitted securely over the TLS (SSL) protocol to the central log server instead of UDP or unencrypted TCP.
How long should the retention period of VMware logs be?
The ISO 27001 standard does not directly specify a specific duration; it requires the retention period to be determined according to legal requirements and corporate risk analysis. Considering the legal regulations in Turkey (e.g., Law No. 5651 and KVKK guidelines), log records must be stored securely and with time stamps for at least 2 years retrospectively.
Conclusion
Establishing an ISO 27001 compliant logging infrastructure in VMware vSphere environments not only fulfills a legal requirement but also forms the most important link in your corporate cyber defense line. Connecting ESXi hosts and vCenter Server to a central SIEM system with encrypted protocols, operating time-stamped signing processes, and real-time monitoring of cyber incidents protects your virtual infrastructure against incoming threats. A correctly configured logging architecture ensures you pass audits successfully while securing your operational continuity.

