Enable the Transmission of Audit Records to a Remote Host with ESXCLI

For audit events, you should use syslog with either TCP on port 514 or TLS on port 1514. To use unencrypted syslog, you must prefix the entry with tcp://. To use encrypted syslog through the TLS protocol, you must prefix the entry with ssl://. For security reasons, you should use the TLS protocol for communications. To use the TLS protocol, you must load a public CA certificate onto ESXi that is suitable for the syslog server.

You can specify multiple syslog servers, separated by commas.

Audit records are transmitted to a remote host as RFC-compliant syslog messages. Audit records have an RFC-specific prefix in the <NNN> format, where NNN is a packaged value representing the facility and severity, calculated as (8 * facility) + severity. The audit facility number is 13, and a typical severity is info, whose number is 6. By using the formula, the value of NNN for an informational audit message is 110, for an audit notice the value is 109, and for an audit error the value is 107.

The following example configures a firewall to permit outbound syslog access, enables remote audit logging, sets the syslog server, and clears the syslog configuration. Specify one of the options listed in Connection Options for ESXCLI Host Management Commands in place of <conn_options>.