Audit records conform to RFC 5424 and contain information about events pertaining to items such as the time, status, description, and user information logged for events that have occurred from actions on ESXi hosts. Both local and remote audit record keeping are available. Audit record keeping is deactivated by default. You must manually activate both local and remote auditing modes.

The local ESXi audit log operates as a fixed-size buffer of recent audit messages. Once messages fill the buffer, new records overwrite the oldest records. The remote audit log forwards the same stream of audit records in a standard syslog format (RFC 3164) to a remote server, either in unencrypted or encrypted (RFC 5425) form. Audit messages comply with RFC 5424 but general syslog messages comply only with RFC 3164. The system sends generated audit message to the local store and the remote store simultaneously.

During a loss of connection between the host and the remote store, the remote store drops any generated audit messages. Upon reconnection, the system generates an audit message indicating potential message loss.

Configuring Audit Records

You use ESXCLI to configure the local audit record keeping. For more information, see ESXCLI Reference at

Viewing Audit Records

You can view the audit records as follows.

  • Local: Use the ESXi /bin/viewAudit application.
  • Remote: Configure a remote audit server using ESXCLI.

You can also use the FetchAuditRecords API (in the DiagnosticsManager managed object) to view audit records.