• Delivery of messages via syslog has been configured for VMware Cloud Director, as detailed in the following article:
  
  Enabling Centralized Logging in VMware vCloud Director
  
  
• In the destination log aggregator, messages appear to be incomplete or span multiple entries, similar to the following:
  
  VMware Cloud Director logs are truncated in Aria Operations for Logs

VMware Cloud Director 10.6.x

VMware Cloud Director utilizes the log4j SyslogAppender to delivery messages to a syslog server via UDP. By design and in accordance to RFC specifications, messages larger than 1024 bytes will be split into multiple packets and it is the responsibility of the destination log aggregator to identify, cache, and re-assemble these items. Since the UDP protocol does not guarantee packet delivery or correct sequence, there can be additional issues accurately identifying associated packets, assuming that re-assembly is attempted at the destination.

This behavior is expected and cannot be adjusted at the source VMware Cloud Director configuration. Determine the options for re-assembly on the destination log aggregator and confirm that there is reliable networking between the environments, including a consistent end-to-end MTU as in the following:

Syslog messages are truncated when received from VMware Cloud Director

For more complete and reliable audit message information, the API can be used to programmatically retrieve the details:

Query Audit Trail API