Viewing the Audit log
Symantec Endpoint Detection and Responsecontains an Audit log that shows the user-generated activity that is performed through the console or the API. Only users with Admin rights can view the Audit log.
The user-generated activity includes the following events:
- User logon, logout, inactivity, and account lockout
- Password failure, reset, and change
- User account creation, modification, or deletionIncludes both local accounts and accounts setup through Active Directory.
- Policy changesIncludes the creation, deletion, and modification of entries in the allow list policy and the deny list policy.The Commands that are issued on entities (such as isolating endpoints) do not appear in the Audit log. These events appear in the Actions log.
- Incident closure
- Symantec EDRconfiguration or settings changesFor example, enabling SNMP settings or deleting a SEPM Controller.
Symantec EDRsupports sending Audit log events to syslog. It also supports backing up Audit log events.
Purging Audit log events only occurs as a result of disk pressure, and Audit logs events are the last items to be purged. If Audit logs events are selected to be purged, the oldest events are purged first. Click the following link to learn more about how
Symantec EDRpurges its database.
- On the left navigation pane, clickLogging, and then select theAudittab.