SEPFL-Auditd logs for Linux servers settings (sisaudisp.conf)
search cancel

SEPFL-Auditd logs for Linux servers settings (sisaudisp.conf)

book

Article ID: 423264

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

You want to know if you can make changes to audited logs via sisaudisp.conf" file.

Current:

  1. Symantec audisp plugin

active = no
direction = out
path = /opt/Symantec/sdcssagent/IDS/bin/sisaudisp
type = always
args = none
format = string

Proposed change:

  1. Symantec audisp plugin

active = yes
direction = out
path = /opt/Symantec/sdcssagent/IDS/bin/sisaudisp
type = always
args = LOG_INFO LOG_LOCAL6
format = string

Environment

Symantec Endpoint protection for Linux

Cause

Loss of all the auditd logs (from the Linux OS onboarding)

 

Resolution

1. Impact on SEP Agent

   The proposed changes will have an impact on the SEP agent:   

  • active = yes: This change conflicts with how the SEP agent manages the plugin. The agent dynamically controls this setting based on EDR/Network policy requirements.
  • Looking at sepl_auditd_monitor.sh:
disablePlugin() 
{   
   logMessage "STATUS: Disabling plugin $1"
   sed -i 's/active = \(yes\|no\)/active = no/' $1
}
enablePlugin() 
{   
   logMessage "STATUS: Enabling plugin $1"
   sed -i 's/active = \(yes\|no\)/active = yes/' $1
}

The agent uses sed to toggle active = yes/no based on whether:

  • EDR is enabled (edrcheckenabled=1)
  • Linux Network Collector is enabled (linuxnetworkcollectorenabled=1)
grep -iq "edrcheckenabled=1" $SIS_IDS_DIR/system/agent.ini; EDR_ENABLED=$?
   grep -iq "linuxnetworkcollectorenabled=1" $SIS_IDS_DIR/system/agent.ini; NETWORK_ENABLED=$?
   // ...
   if ( [ $EDR_ENABLED -eq 0 ] && [ $NETWORK_ENABLED -eq 0 ] ); then
       installNetRules $NETWORK_MAGIC
       PLUGIN_ACTION=enablePlugin
   fi

         

2. Will Changes Persist After Reboot or Upgrade?

NO - Changes will NOT reliably persist:

Event Impact on sisaudisp.conf
Reboot The active setting may be toggled by the agent when services restart (via sepl_auditd_monitor.sh reconfig)
Agent Upgrade The RPM packaging uses %verify(not md5 size mtime) flag which means the file may be overwritten during upgrades to the default template
Policy Changes When EDR/Network policies are applied, the agent will overwrite the active setting

3. Root Cause of Lost Auditd Logs

The  issue (lost auditd logs from Linux OS onboarding) is NOT caused by sisaudisp.conf settings. The sisaudisp plugin:

  1. Does not modify or consume auditd logs - it only receives a copy of events via the audisp dispatcher
  1. Does not affect auditd's file logging - auditd continues to write to /var/log/audit/audit.log regardless of this plugin's state
  2. Is set to active = no by default - meaning it shouldn't affect auditd behavior at all when disabled

 

Additional Information

  • Recommendations
    1. Do NOT manually modify sisaudisp.conf - the agent manages this file dynamically
    2. The args = LOG_INFO LOG_LOCAL6 change will have no effect - the plugin doesn't support these arguments
    3. To ensure auditd logs are preserved, check:
    • /etc/audit/auditd.conf (especially max_log_file, num_logs, max_log_file_action)
    • Ensure auditd service is running: systemctl status auditd
    • Check disk space on /var/log/audit/
    1. If the customer needs the plugin active persistently, they should:
    • Ensure EDR and Linux Network Collector are enabled via SEPM policy
    • The agent will then automatically set active = yes
    1. Both paths are intentional - different audit versions use different plugin directories:
    • /etc/audisp/plugins.d/ - auditd version < 3
    • /etc/audit/plugins.d/ - auditd version >= 3

Likely causes of lost auditd logs:

  • Auditd configuration issue (/etc/audit/auditd.conf)
  • Log rotation settings
  • Disk space issues
  • Auditd service not running
Powered by Wolken Software