Information
Configure a persistent log location for all locally stored audit records on the ESXi host. ESXi can be configured to store audit records on an in-memory file system. This occurs when the host's "/scratch" directory is linked to "/tmp/scratch". When this is done only a single day's worth of records are stored at any time. In addition audit records will be reinitialized upon each reboot. This presents a security risk as user activity logged on the host is only stored temporarily and will not persistent across reboots. This can also complicate auditing and make it harder to monitor events and diagnose issues. ESXi host audit record logging should always be configured to a persistent datastore. You can detect if the scratch volume is temporary or persistent by querying the ScratchConfig.CurrentScratchLocation advanced parameter. If, when queried, it returns "/tmp/scratch" then the volume is temporary and you should remap the audit record storage to a persistent device. Cannot be a vSAN datastore. If your only local, non-vSAN storage is SD or USB media (which can become unreliable with repeated writes from logs) you might consider leaving the logs in the ramdisk and ensuring that a remote logging host is configured instead. Document the decision and rationale in preparation for future audits.
Solution
Get-VMHost -Name $ESXi | Get-AdvancedSetting Syslog.global.auditRecord.storageDirectory | Set-AdvancedSetting -Value "<PERSISTENT LOCATION>/audit"