Sophos Central Audit Logs
The Audit logs are lacking in detail and visibility, specifically:
When moving devices/computers into groups - the audit logs only show that a change was made to the group itself, not which devices/machines were affected.
When a change in product assignment is done (e.g. we remove Device Encryption as an installed product on a device/machine or a group of devices/machines) the audit logs do not show which devices/machines were affected.
When changes are made to a Sophos Central policy, what were the actual changes made within the policy.
With a move towards using logs to help with audits (ISO or ISAE) we need to show competence, management, audit & accountability we need to show that we can prove what was changed and when.
I agree with Kim that “Admin made a change” is useless. We need to know what the Admin (or A.N.Other) changed. Additionally a note to say why it was changed would also be useful.
Kim Haymon commented
I agree. In the history of IT, log files are how we determine WHO, WHAT, WHEN, WHERE and HOW something happened and the way these logs are set you can tell nothing of importance. An admin made a change is a insufficient alert. The log should include the change that was made, if a policy was enabled, disabled or changed with details of the change. If an endpoint was deleted, what was the name or ID of the endpoint. If a new policy was added, what was the name of the policy, what type of policy an was it enabled or not. Get it?