According to What’s New in What's new for Symantec Endpoint Protection 14.3 MP1 (188.8.131.52), External Logging adds a new Syslog entry containing PII filtered policy changes. This change adds a second log line containing the policy payload when a policy change is made and recorded in the Audit log.
Here is what you can expect with the first release of this new feature.
Note: The Audit log must be selected as a Log Filter in Configure External Logging for your site. You will not be able to compare changes to policies until a subsequent change after an initial policy change post install or upgrade to 14.3 MP1.
SEPM 14.3 MP1 or newer.
Once Audit logging is enabled a subsequent policy change can be compared against a previous policy change.
When the logs are exported via Syslog, the second log line with the policy data is dated at the same time as the first line noting the policy change.
Here is an example that was tested with Splunk when searching for policy “Exceptions Test”:
Lines 2 and 4 are the regular Audit log lines that were previous generated. Line 1 and 3 are the new lines that are now generated with Audit logging.
Line 3 represents the first time the policy Exceptions Test was logged.
Line 1 represents what was added (or changed) to the subsequent policy change.
Within Splunk, a diff can be done against the policy lines above:
An alternate way to view changes is with External Logging and configure Export Logs to a Dump File.
In this case, the policy is dumped to an XML file, and these XML files can be compared with your favorite text or compare application:
Note: Dumping logs and policies to disk can create many files over time which can create a storage and security issue.
As this is new functionality for Syslog and External Logging, this feature may change in future releases.