The vRealize Log Insight Cloud collects and analyzes logs generated in your SDDC.

A trial version of the vRealize Log Insight Cloud service is enabled by default in a new SDDC. The trial period begins when a user in your organization activates the vRealize Log Insight Cloud service and expires in thirty days. After the trial period, you can choose to subscribe to this service or continue to use a subset of service features at no additional cost. For more information about using vRealize Log Insight Cloud, see the vRealize Log Insight Cloud Documentation.

SDDC Audit Log Events

vRealize Log Insight Cloud classifies SDDC events matching the following rules as audit data.

ESXi Audit Events
"text=(esx AND audit)"
"text =(hostd AND vmsvc AND vm AND snapshot)"
"text =(vim.event.HostConnectionLostEvent)"
vCenter Audit Events
"text = (vpxd AND event AND vim AND NOT originator)"
NSX Audit Events
"text = (nsx AND audit AND true AND comp AND reqid)"
NSX Firewall and Packet Log Events
"text = (nsx AND firewall AND inet)"
"text = (firewall_pktlog AND inet)"
User-Driven Activity Events
log_type Contains Activity
VMC Notification Gateway Events
log_type Contains Notification
VMware Site Recovery Events
text contains vmware-dr 
text doesnot contain vmware-dr-audit
VMware Cloud Services Audit Events
log_type Contains csp-audit