In an environment where rsyslog is installed, if you repeatedly restart the service or OS the /etc/rsyslog.conf file will be edited unintentionally.

For example, run the following command, the SEP service removes a few lines from the end of the /etc/rsyslog.conf file:

(Initial state at the end of /etc/rsyslog.conf  provided by this customer)

# ### sample forwarding rule ###
　#action(type="omfwd"
　# An on-disk queue is created for this action.
# down, messages are spooled to disk and sent when it is up again.
　#queue.filename="fwdRule1" # unique name prefix for spool files
　#queue.maxdiskspace="1g" # 1gb space limit (use as much as possible)
　#queue.saveonshutdown="on"

# The following is required for Symantec Host IDS - Do not edit or remove
*.info;mail.err;mark.none |/var/log/ids_syslog.pipe

Implement the following commands twice or three times

  /usr/lib/symantec/stop.sh
  systemctl stop rsyslog.service
  systemctl start rsyslog.service
  /usr/lib/symantec/start.sh

Below is the last part of /etc/rsyslog.conf after the above commands: the characters after "An on-disk queue is create" are gone, and two lines added by SEP are displayed.

# ### sample forwarding rule ###
　#action(type="omfwd"
　# An on-disk queue is create
# The following is required for Symantec Host IDS - Do not edit or remove
*.info;mail.err;mark.none |/var/log/ids_syslog.pipe

OS DETAILS
Red Hat Enterprise Linux 8.1 (4.18.0-147) - 64-bit

PRODUCT BUILD
SEP 14.3 RU4  (14.3.2167.4000) --- exported by SEPM 14.3 RU4 (14.3.7393.4000)

rsyslog.conf file contains multibyte strings

Remove multibytes character strings from rsyslog.conf