You can use ESXCLI to configure transmitting audit records to a remote host.

You can specify multiple syslog servers, separated by commas. For protocol and port information, see Configuring ESXi Syslog Services.

Audit records are transmitted to a remote host as RFC-compliant syslog messages. Audit records have an RFC-specific prefix in the <NNN> format, where NNN is a packaged value representing the facility and severity, calculated as (8 * facility) + severity. The audit facility number is 13, and a typical severity is info, whose number is 6. By using the formula, the value of NNN for an informational audit message is 110, for an audit notice the value is 109, and for an audit error the value is 107.

The following example configures the firewall to permit outbound syslog access, enables remote audit logging, sets the syslog server, and clears the syslog configuration. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of <conn_options>.

Procedure

  1. Configure the firewall to permit outbound syslog transmissions. 
    esxcli <conn_options> network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli <conn_options> network firewall refresh
  2. Enable remote audit logging. 
    esxcli <conn_options> system auditrecords remote enable
  3. Set the syslog server. 
    esxcli <conn_options> system syslog config set --loghost=”ssl://syslog.example.com:port”
  4. When configuring encrypted transmissions, you can enable CRL checking.
    Note: The --crl-check option performs verification of X.509 CRLs, which are not checked by default in compliance with industry standards. If CRL checks are enabled, all certificates in a certificate chain must provide a CRL link. You should not enable CRL checking unless explicitly required, for example, to satisfy government certification requirements, because of the difficulty in properly configuring an environment that uses CRL checks. 
    esxcli <conn_options> system syslog config set --crl-check=true
  5. When configuring encrypted transmissions, you can enable strict compliance with X.509.
    Note: The --x509-strict option performs additional validity checks on CA root certificates during verification. These checks are generally not performed because CA roots are inherently trusted, and might cause incompatibilities with existing, misconfigured CA roots. You should not enable X.509 strict checking unless explicitly required, for example, to satisfy government certification requirements. 
    esxcli <conn_options> system syslog config set --x509-strict=true
  6. Notify the syslog daemon of the configuration changes. 
    esxcli <conn_options> system syslog reload