ESXi offers both local and remote audit record keeping. Audit record keeping is deactivated by default. You must manually enable both local and remote auditing modes.

The local ESXi audit log operates as a fixed-size buffer of recent audit messages. Once messages fill the buffer, new records overwrite the oldest records. The remote audit log forwards the same stream of audit records in a standard syslog format (RFC 3164) to a remote server, either in unencrypted or encrypted (RFC 5425) form. Audit messages comply with RFC 5424 but general syslog messages comply only with RFC 3164. The system sends generated audit message to the local store and the remote store simultaneously.

During a loss of connection between the host and the remote store, the remote store drops any generated audit messages. Upon reconnection, the system generates an audit message indicating potential message loss.

Configuring Audit Records

You use ESXCLI to configure the local audit record keeping. For more information, see ESXCLI Reference at

Viewing Audit Records

You can view the audit records as follows.

  • Local: Use the ESXi /bin/viewAudit application.
  • Remote: Configure a remote audit server using ESXCLI.

You can also use the FetchAuditRecords API (in the DiagnosticsManager managed object) to view audit records.