VMware Aria Operations allows you to view, monitor and search through activities across all the vCenter Servers in your infrastructure.

Audit events enhances operational efficiency, transparency, and accountability. These improvements facilitate security and compliance audits and provide essential details for conducting security forensics. Your organization may be required to provide audit data to support both internal and external audit reviews. By viewing audit events, you can reduce the time required for audit cycles by collecting data from various resources across vCenter Servers, and see it in an unified interface. Currently, audit events reports on authentication and security-related audit events.

How Does Audit Logging Work?

VMware Aria Operations can display audit events after integration with VMware Aria Operations for Logs. Audit events include interactions within the platform like searches, logins, logouts, capability checks, and configuration modifications, which result in the creation of relevant audit records.

By default, the VMware Aria Operations displays audit events for vCenter Server, VMs, Hosts, vSAN resources, NSX resources.

If your virtual infrastructure has multiple vCenter instances, VMware Aria Operations, can monitor resources across all of them. Audit events are only displayed for vCenter instances which are monitored by VMware Aria Operations for Logs , even if such instances are directly configured with VMware Aria Operations. You must manually configure VMware Aria Operations for Logs to monitor the vCenter instances in your virtual infrastructure. You can use log forwarding to configure multiple VMware Aria Operations for Logs instances to do the log analysis. Out of these instances, only one is integrated with VMware Aria Operations, while the others forward the logs to the integrated VMware Aria Operations for Logs instance.
Note: The instances of VMware Aria Operations for Logs used for log forwarding must be of the supported version. Otherwise, audit events are not displayed for vCenter instances monitored by those vCenter log forwarders.
For more information, see the following topics:
To summarize, VMware Aria Operations displays audit events from vCenter instances which are:
  • Configured in the VMware Aria Operations for Logs instance which is integrated with VMware Aria Operations.
  • Configured in the VMware Aria Operations for Logs instances which forward logs to the VMware Aria Operations for Logs which is integrated with VMware Aria Operations.

Audit Event Categories

VMware Aria Operations generates audit events for the following category of actions:
  • Access
  • Access_control
  • Account_management
  • Configuration
  • Data_access
  • Network
  • Notification
  • Permissions
  • Session
  • System
  • Policy
  • Firewall

Audit events may have more than one category.

The default time range for which the audit events are displayed is 24 hours. You have the option to select audit events from the past 1, 6, 12, 24 and 48 hours, but it depends on the data retention configured in the VMware Aria Operations for Logs instance. Additionally, you can specify a custom time range for any time period in the past, provided that it does not exceed the maximum limit of 48 hours.