Audit records conform to RFC 5424 and contain information about events pertaining to items such as the time, status, description, and user information logged for events that have occurred from actions on ESXi hosts. Both local and remote audit record keeping are available. Audit record keeping is deactivated by default. You must manually activate both local and remote auditing modes.

Audit records, when enabled, are stored locally as a fixed-size buffer of recent additions. Once the audit records fill the buffer, new audit records overwrite the oldest records.

Audit records are stored in RFC 5424 format but are transmitted to remote hosts in compliance with the specified message formatting (RFC 3164 for ESXi 7.0 Update 3; and RFC 3164 or RFC 5424 for ESXi 8.0 and later). The audit records are part of the stream of syslog messages. You can configure the local storage and transmission of audit records independently of each other. When you activate both local storage and transmission, the audit records are stored and transmitted simultaneously.

During a loss of connection between the ESXi host transmitting syslog data and a remote host, audit records are dropped if the available buffer space is exceeded. Upon reconnection, the system generates an audit message indicating potential message loss.

Configuring Audit Records

You use ESXCLI to configure the local audit record keeping. For more information, see ESXCLI Concepts and Examples.

Viewing Audit Records

You can view the audit records as follows.

• Local: Use the ESXi /bin/viewAudit application.
• Remote: Configure a remote audit server using ESXCLI. For more information, see Enable the Transmission of Audit Records to a Remote Host with ESXCLI.

You can also use the FetchAuditRecords API (in the DiagnosticsManager managed object) to view audit records.