Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Which logs to check to find out which policy was changed on which group

Created: 26 Aug 2011 | 6 comments
Mudit Kumar's picture
20 Agree
0 Disagree
+20 20 Votes
Login to vote

Scenario:  An Administrator logs into the Symantec Endpoint Protection Manager Console and removes a Global Exception Policy from all groups defined with the SEPM, causing several mission critical applications to stop functioning.

The Audit logs generated from SEPM > Monitors > Logs > Log Type > Audit Log, has the following information.

Event type: Policy edited
Description: Update shared Antivirus Policy: Antivirus and Antispyware policy - High Security
Domain:
Site:
Server:
Time: 08/25/2011 06:27:24
Policy: Antivirus and Antispyware policy - High Security
Administrator: admin

It would be helpful for the Administrators if the Audit log had details about the exact changes which were made, for example, What change was made to the policy (Withdrawn, Deleted, Edited, Assigned to another Group, Policy Replaced with which policy), what Policy configurations were changed (Options selected/deselected, Checkboxes checked/unchecked, etc). At present SEPM does not provide enough detailed information for this type of activity.

Request: Need a log that provide more detailed information of the changes of policy

Comments 6 CommentsJump to latest comment

joblessandy's picture

Finer logs always gives you a better undestanding of the impact of the change over the environment. This will help the users as well as the Techs to analyse the changes made to the policy.

Anand.

0
Login to vote
Mithun Sanghavi's picture

Hello,

Even though the Symantec is not a Auditing Tool, however, there are few reports which are expected from a Security Software to track atleast the changes made through itself.

How would administrators come to know who did those changes, what changes were made and exact description, what policies were changed and specifically what was done...

Hope we have a log of such activities performed by SEPM itself.!!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
Swapnil khare's picture

Hello Mudit ,

I surely agree with your comment "It would be helpful for the Administrators if the Audit log had details about the exact changes which were made"

As compliance is a critical part of Security indetail log analysis or generating logs from Sep manager will help in understand and resolving queries more faster and quicker .

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

0
Login to vote
la_ripper's picture

Good infomation Mudit.

Don't forget to mark your thread as 'solved'  or vote with the answer that best helped you!
 

0
Login to vote
lalith007's picture

How to get more information from the audit log apart from the one in description?

0
Login to vote
mallcop's picture

Hi guys,

I'm looking for the same audit features in SEP. Maybe some notifications would be good too, because I recently I had a case where a policy was disabled and I found this pretty late. Also some group creation/modification/deletion audfit would be nice.

0
Login to vote