• Below audispd log entries seen on any configured remote syslog servers (vRNI, etc)

2025-10-07T06:41:13.954Z <NSX-Manager> audispd - - - type=USER_CMD msg=audit(1759819273.624:54219324): pid=1236846 uid=33 auid=4294967295 ses=4294967295 subj=unconfined msg='cwd="/" cmd="/opt/vmware/nsx-node-api/bin/api_roothelper.sh" exe="/usr/bin/sudo" terminal=? res=success' UID="www-data" AUID="unset"
<134>1 2025-10-07T06:41:13.999Z <NSX-Manager> audispd - - - type=CRED_REFR msg=audit(1759819273.624:54219325): pid=1236846 uid=33 auid=4294967295 ses=4294967295 subj=unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success' UID="www-data" AUID="unset"

2025-10-07T09:33:01.759Z <NSX-Edge> audispd - - - type=SYSCALL msg=audit(1759829581.297:125322411): arch=c000003e syscall=59 success=yes exit=0 a0=19f3ed99eec0 a1=19f######880 a2=19f######3f0 a3=0 items=3 ppid=687030 pid=687051 auid=0 uid=0 gid=4 euid=0 suid=0 fsuid=0 egid=4 sgid=4 fsgid=4 tty=(none) ses=768581 comm="gzip" exe="/usr/bin/gzip" subj=unconfined key="root_cmd" ARCH=x86_64 SYSCALL=execve AUID="root" UID="root" GID="adm" EUID="root" SUID="root" FSUID="root" EGID="adm" SGID="adm" FSGID="adm"

2025-10-07T09:33:01.874Z <NSX-Edge> audispd - - - type=CWD msg=audit(1759829581.297:125322411): cwd="/"

2025-10-07T09:33:01.077Z <NSX-Edge> audispd - - - type=EOE msg=audit(1759829581.297:125322411):

• This can also be seen on "/var/log/li-syslog" location on NSX Manager and NSX Edge nodes.
• It will not be logged into local "/var/log/syslog"  

VMware NSX-T Data Center

VMware NSX

VMware vRealize Log Insight

These "audispd" logs are "expected" and "required" for distribution to the various programs (remote syslog servers, security monitoring tools etc) for analyzing events in real time.

Audit logs will not go to local syslog files, but they will be logged in local audit.log file.