Keystroke logging and virtual machines

RedGrittyBrick is right.

Here's how it would work:

1. Keylogger is on host machine: even VM sessions will be keylogged.
2. Keylogger is on virtual machine: only VM will be keylogged unless it escapes the VM.
3. Keylogger is hardware-based: same as #1: everything can be captured, but this includes things even outside of the main operating system, as long as it's all going to the hardware. This means anything on your machine, including BIOS passwords, boot passwords, disk encryption, etc.

A hardware keylogger will obviously capture anything typed on the keyboard it is attached to. So that includes keystrokes that are forwarded to a VM.

I would expect a software keylogger running on the host system should also capture anything typed on the local keyboard before it gets to any VM

A software keylogger running in a VM would capture keystrokes from the virtual keyboard presented by the host, so it would not capture keystrokes consumed by the host nor keystrokes forwarded to other VMs.

Keyloggers do not capture keystrokes generated remotely and transmitted to the computer hosting the keylogger by network protocols similar to SSH.

Whether host-end keyloggers can capture keystrokes from remote-desktop clients (e.g. RDP) presumably depends on details of the implementation of the remote desktop service and of the keylogger.