After installation of Symantec Endpoint Protection (SEP) 14.3 RU3, you will see log entries like these in messages:

e.g.)

Nov 2 13:59:02 xxxx auditd[1138]: Skipping line 8 in /etc/audit/plugins.d//sisaudisp.conf: too long

SEP 14.3 RU3 installer creates /etc/audit/plugins.d/sisaudisp.conf file upon installation.

e.g.)

$ cat /etc/audit/plugins.d/sisaudisp.conf
# Symantec audisp plugin

active = no
direction = out
path = /opt/Symantec/sdcssagent/IDS/bin/sisaudisp
type = always 
args = none
format = string

Its content is fine, but LF is missing at the very end:

e.g.)

$ od -tc /etc/audit/plugins.d/sisaudisp.conf
0000000 # S y m a n t e c a u d i s
0000020 p p l u g i n \n \n a c t i v e
0000040 = n o \n d i r e c t i o n
0000060 = o u t \n p a t h = / o p
0000100 t / S y m a n t e c / s d c s s
0000120 a g e n t / I D S / b i n / s i
0000140 s a u d i s p \n t y p e = a
0000160 l w a y s \n a r g s = n o
0000200 n e \n f o r m a t = s t r i
0000220 n g
0000222

• SEP 14.3 RU3 for Linux

Broadcom is aware of this issue and will update this document when a solution becomes available.

Work around:

To suppress log messages, append LF to sisaudisp.conf.

e.g.)

$ echo "" >> /etc/audit/plugins.d/sisaudisp.conf

CRE-8436