Which logs to check to find out which policy was changed on which group
Scenario: An Administrator logs into the Symantec Endpoint Protection Manager Console and removes a Global Exception Policy from all groups defined with the SEPM, causing several mission critical applications to stop functioning.
The Audit logs generated from SEPM > Monitors > Logs > Log Type > Audit Log, has the following information.
Event type: Policy edited
Description: Update shared Antivirus Policy: Antivirus and Antispyware policy - High Security
Domain:
Site:
Server:
Time: 08/25/2011 06:27:24
Policy: Antivirus and Antispyware policy - High Security
Administrator: admin
It would be helpful for the Administrators if the Audit log had details about the exact changes which were made, for example, What change was made to the policy (Withdrawn, Deleted, Edited, Assigned to another Group, Policy Replaced with which policy), what Policy configurations were changed (Options selected/deselected, Checkboxes checked/unchecked, etc). At present SEPM does not provide enough detailed information for this type of activity.
Request: Need a log that provide more detailed information of the changes of policy
Comments
Detailed logs are always better.
Finer logs always gives you a better undestanding of the impact of the change over the environment. This will help the users as well as the Techs to analyse the changes made to the policy.
Anand.
I agree with Mudit.
Hello,
Even though the Symantec is not a Auditing Tool, however, there are few reports which are expected from a Security Software to track atleast the changes made through itself.
How would administrators come to know who did those changes, what changes were made and exact description, what policies were changed and specifically what was done...
Hope we have a log of such activities performed by SEPM itself.!!!
Mithun Sanghavi
Symantec Technical Support Engineer, SEP
MIM | MCSA | SCTS | ITIL v3
Follow me on Twitter: @mithun_sanghavi
Don't forget to mark your thread as 'SOLVED' with the answer that best helped yo
Hello Mudit , I surely agree
Hello Mudit ,
I surely agree with your comment "It would be helpful for the Administrators if the Audit log had details about the exact changes which were made"
As compliance is a critical part of Security indetail log analysis or generating logs from Sep manager will help in understand and resolving queries more faster and quicker .
Swapnil
SOC Team .
Please don't forget to mark your thread solved with whatever answer helped you.
Good infomation Mudit.
Good infomation Mudit.
Don't forget to mark your thread as 'solved' or vote with the answer that best helped you!
Information from audit log
How to get more information from the audit log apart from the one in description?
Would you like to reply?
Login or Register to post your comment.