There are a few sources for change logs in Security Analytics.  Most changes are recorded in /var/log/messages.  You can search for the keyword DEEPSEE in the file.  These messages are easier to read but only show the changes made at an application level. All file changes made by the appliance are recorded in /var/log/audit.  The audit logs are extremely detailed but hard to read.

It is recommended to use the GUI to look at the audit logs.  You can access the audit logs by going to the 'Information' icon in the upper right corner and selecting Audit Log.  Details on how to manipulate the audit log can be found in the Security Analytics online documentation in the Logging and Communication section.

If you have any specific questions about messages in either the audit log or /var/log/messages, you can contact technical support.

For information on how Security Analytics rotates the audit log, see this article: How the audit log rotates in Security Analytics