After installation of Symantec Endpoint Protection (SEP) 14.3 RU3, you will see log entries like these in messages:
e.g.)
Nov 2 13:59:02 xxxx auditd[1138]: Skipping line 8 in /etc/audit/plugins.d/sisaudisp.conf: too long
SEP 14.3 RU3 installer creates /etc/audit/plugins.d/sisaudisp.conf file upon installation.
e.g.)
$ cat /etc/audit/plugins.d/sisaudisp.conf
# Symantec audisp plugin
active = no
direction = out
path = /opt/Symantec/sdcssagent/IDS/bin/sisaudisp
type = always
args = none
format = string
Its content is fine, but LF is missing at the very end:
e.g.)
$ od -tc /etc/audit/plugins.d/sisaudisp.conf
0000000 # S y m a n t e c a u d i s
0000020 p p l u g i n \n \n a c t i v e
0000040 = n o \n d i r e c t i o n
0000060 = o u t \n p a t h = / o p
0000100 t / S y m a n t e c / s d c s s
0000120 a g e n t / I D S / b i n / s i
0000140 s a u d i s p \n t y p e = a
0000160 l w a y s \n a r g s = n o
0000200 n e \n f o r m a t = s t r i
0000220 n g
0000222
This issue is fixed in Symantec Endpoint Protection 14.3 RU5. For information on how to obtain the latest build of Symantec Endpoint Protection, see Download the latest version of Symantec Endpoint Protection.
Work around:
To suppress log messages, append LF to sisaudisp.conf.
e.g.)
$ echo "" >> /etc/audit/plugins.d/sisaudisp.conf
CRE-8436