VMware vSphere

 View Only

 Cant change Advanced Setting for STIG

Scott Little's profile image
Scott Little posted Jan 13, 2025 06:43 PM

Per STIG ESXI-80-000113 I'm trying to change the "Syslog.global.auditRecord.storageCapacity" advanced setting from 4 to 100. 

One 1 of 3 my hosts it worked just fine.  The other 2 keep giving me a generic "A general system error occurred: Internal error" response.  I've been digging through and making sure all the other audit settings are the same.  I've tried through the GUI, ssh with esxcli, and powercli all with the same result.  As well as on my admin account and with SSO/root.

The one that works was a fresh new build a little while ago, while the other 2 were just upgrades from 7.  But other hosts on different network were upgraded the same way without an issue.

All 3 hosts are on the latest release for 8.0.3.

Can't even think where to look next.

Andrea Consalvi's profile image
Andrea Consalvi posted Mar 19, 2025 05:32 AM

Hi Scott,

Since it worked on a fresh install but not on the two upgraded hosts, this could be related to leftover config settings from ESXi 7. A few things to check:

Try setting it manually in the host configuration file
Instead of using ESXCLI or PowerCLI, try adding the setting manually in:









/etc/vmware/esx.conf 

Look for /system/advanced/Syslog.global.auditRecord.storageCapacity and try modifying it there, then reboot the host.

Check VMSA restrictions
Run:









esxcli system settings advanced list | grep -i Syslog.global.auditRecord.storageCapacity 

If the setting is locked (Locked: true), ESXi might be enforcing restrictions due to STIG compliance mode or a policy applied to upgraded hosts.

Compare policies between hosts
Since the fresh install worked, check for policy differences:









esxcli system settings advanced list | grep -i Syslog 

Compare the output from a working host and a failing one to see if something is blocking the change.