• Attempting to change the Audit Logging directory via vCenter Server UI fails.
  
  
• Task in vCenter completes with error status:

  Fault: Internal error

• Logs on the ESXi host (/var/log/hostd.log) show entries similar to:

  Failed to set global syslog configuration : The audit record storage directory '/vmfs/volumes/<UUID>/systemlogs/Audit' is invalid.
  vmodl.fault.SystemError(reason = "Internal error")
  

By default, Audit Logging stores files in the /scratch/auditLog directory.

If Audit Logging is enabled without explicitly defining a datastore path, /scratch/auditLog is automatically used.

Changing the directory directly from the vCenter Server UI fails because:

• The /scratch/auditLog directory is actively in use.

• A new directory path cannot be applied while Audit Logging is enabled.

• The target folder must not exist before enabling Audit Logging, as the ESXi system auto-creates it.

1. SSH to the Affected ESXi Host using root user account.
   
   
2. Disable Local Audit Logging

   esxcli system auditrecords local disable

3. Delete Existing Audit Logs

   rm -rf /scratch/auditLog/

4. Set a New Directory on the Desired Datastore

   esxcli system auditrecords local set --directory /vmfs/volumes/<Datastore-UUID>/systemlogs/Audit

5. Enable Local Audit Logging

   esxcli system auditrecords local enable

6. Verify Audit Logging Status

   esxcli system auditrecords get

7. Expected output shows the new datastore path:

   [root@esxi01:~] esxcli system auditrecords get
      Audit Record Storage Active: true
      Audit Record Storage Directory: /vmfs/volumes/<Datastore-UUID>/systemlogs/Audit

8. Reboot the ESXi Host
   
   
9. Audit logs such as audit.001, audit.002, etc., will be created automatically in the configured datastore directory.

• The datastore directory for Audit Logging must not pre-exist; ESXi will automatically create it during enablement.
  
  
• If not specified, Audit Logging defaults to /scratch/auditLog.