Symptoms:

• The issue starts when ESXi is upgraded to 8.0.3 version.
• When we cat the auth.log file to trace the SSH session login details, the file shows no result; however, the login event is now recorded in the syslog.log.

cat /var/log/auth.log  |grep -e "root login" -e "Connection from" |grep -A 100000 "2025-06"
<no result>

cat /var/log/syslog.log  |grep -e "root login" -e "Connection from" |grep -A 100000 "2025-06"
YYYY-MM-DDT09:17:50.840Z In(38) sshd-session[4142373]: Connection from 192.16X.X.XX port 64036

ESXi 8.0.3

During the OpenSSH upgrade in September 2024 to version 9.8p2, a significant upstream change was introduced wherein the sshd binary was split into a new component called sshd-session.

However, as part of this upgrade, the specific JSON configuration file used by the vmsyslog service was not updated, which is responsible for defining which userworld processes are authorized to write to auth.log.

This oversight led to a misconfiguration in the vmsyslog policy — the property that controls logging access was not updated to reflect the new sshd-session binary. As a result, logs for SSH sessions were not recorded in auth.log as expected, and instead defaulted to syslog.log.

The engineering team is aware of the issue, and the fix is expected to be released in the upcoming ESXi 8.0.3 and ESX 9.0 patches.

No workaround available.

In ESXi-8.0.3, "sshd-session" writes the session logs, and those are going in "syslog.log". This is obvious because, based on the below file(auth.conf), the known idents are: 
idents = login,su,sshd,passwd
That means "sshd-session" is out of the above list; consequently will write the data to the default location, i.e., "syslog.log" (default location for unknown idents).