By default the syslogs does not provide when policy has been modified in Management Center and the syslog setting need to be increase through CLI.
- # configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
(config)# event-log
(config-event-log)# level 6
Event log level set to 6 (info).
Be aware that this will cause additional CPU and HHD usage on the Management Center device.
After the Event-log level has been increase Management Center will populate the Syslogs with records that contain "operation=policy.content_revision"
- Example:
- Dec 19 19:41:38 bccm_2_2-6-x86_64.localdomain com.bluecoat.cm.syslog.audit Data Change Event [uuid=23F14DDF-47A0-49F8-92A6-3536C1F3A75B, partition=null, createdOn=12/19/19 19:41:38, createdBy=admin, operation=policy.content_revision, target=36688B3F-60B7-484D-9261-D5E0571B1E30, type=PolicyImpl, reference1=Deny rule, reference2=1.2, reference3=1.1, reference4=Test to see what is in the event log., reference5=null]
- createdOn - Date and Time of the change
- createdBy - Username of who made the change
- target - UUID of the policy changed.
- reference1 - policy name
- reference2 - policy version created
- reference3 - old policy version
- reference4 - Description of changes made by user
To view changes made use the comparison tool in Management Center:
https://origin-symwisedownload.symantec.com/resources/webguides/managementcenter/2.3.1.1/Content/ConfigurationManagementGuide/6_Policy/compare_device_policy_versions.htm?Highlight=compare%20policy