How to Get Policy Changes from Syslogs

book

Article ID: 184817

calendar_today

Updated On:

Products

Management Center

Issue/Introduction

Want to be notified when policy changes are made in Management Center

Resolution

By default the syslogs does not provide when policy has been modified in Management Center and the syslog setting need to be increase through CLI.

  • # configure terminal
    Enter configuration commands, one per line. End with CNTL/Z.
    (config)# event-log
    (config-event-log)# level 6
    Event log level set to 6 (info).

Be aware that this will cause additional CPU and HHD usage on the Management Center device.

After the Event-log level has been increase Management Center will populate the Syslogs with records that contain "operation=policy.content_revision"

  • Example: 
    • Dec 19 19:41:38 bccm_2_2-6-x86_64.localdomain com.bluecoat.cm.syslog.audit Data Change Event [uuid=23F14DDF-47A0-49F8-92A6-3536C1F3A75B, partition=null, createdOn=12/19/19 19:41:38, createdBy=admin, operation=policy.content_revision, target=36688B3F-60B7-484D-9261-D5E0571B1E30, type=PolicyImpl, reference1=Deny rule, reference2=1.2, reference3=1.1, reference4=Test to see what is in the event log., reference5=null]
      • createdOn - Date and Time of the change
      • createdBy - Username of who made the change
      • target - UUID of the policy changed.
      • reference1 - policy name
      • reference2 - policy version created
      • reference3 - old policy version 
      • reference4 - Description of changes made by user

To view changes made use the comparison tool in Management Center: 

https://origin-symwisedownload.symantec.com/resources/webguides/managementcenter/2.3.1.1/Content/ConfigurationManagementGuide/6_Policy/compare_device_policy_versions.htm?Highlight=compare%20policy