I guess you are talking about 'audit' logs for NAS ?
For audit logs, there are '2' volumes which are separate and should ideally be nothing to do with SVM root volume.
Audit records are initially stored in binary staging files (on staging volume MDV*) and later consolidated and converted to user-readable event logs, which are stored in the audit event log directory (Existing_non_root or separate small size volume) for the SVM. Even though the size of the log directory is 200MB (with log rotation), shouldn't be on svm_root_vol.
Yes, those are 'root' volume for each Node, which is created when you install Ontap software on the root aggregate. This is where 'Security Audit Logs' are stored. The one I mentioned in the first response is NAS Audit logs (cifs/nfs).