Insufficient Admin Actions Logs (CAP Policy Edit)

Hello,

We are seeing two related issues with Admin Action logging for Content Aware Policies (CAP) EDIT events. Both occur in the same workflow, so we are reporting them together.

1) What version are you using?

• EPP Server: 2604.01
• Appliance type: Hardware appliance
• Syslog receiver: rsyslog (Linux)

2) Current settings / configuration

• Syslog destination protocol: TCP
• Syslog destination port: 5514
• Enabled log category for syslog forwarding: Admin Actions
• The rsyslog server itself receives messages from other sources without truncation, so we do not believe the receiver side is the bottleneck, but we are happy to verify if you can tell us the expected maximum message size from EPP.

3) Error / unexpected behavior

Issue A — Console-side: cannot tell which CAP Exit Point was changed
When we open an Admin Action of type “Content Aware Policies - EDIT” in the EPP web console (Logs Report → Admin Actions → the eye icon for detail), the Before/After comparison does not show the actual setting that was modified. In the attached screenshot, the administrator changed a CAP Exit Point on the policy, but neither the Before side nor the After side contains an Exit Point field at all. As a result, we cannot tell from the log which Exit Point was added, removed, or otherwise modified, which makes it impossible to audit Exit Point changes from the EPP console.

Issue B — Syslog-side: Admin Action message is truncated at the end
The same Admin Action events that are forwarded over syslog (TCP/5514) are cut off at the end of the message. The truncation consistently happens in the long list-type fields (Groups, Computers, Users), so the part of the payload that would actually show what was changed is the part we lose. As a result, we cannot use the syslog stream to audit what an administrator modified in a CAP policy either.

Attachments:

• Sample of the truncated syslog message as received on rsyslog for an Admin Action event.

[Admin Actions view Sample]

image1643×544 34 KB

[syslog sample - Admin Actions]

*2026-05-07T11:13:43+09:00 eppserver EPP-192.168.1.57\[1706281\] EPP IP - 1.227.122.182:22244 - System Logs - Admin Actions: \[Log ID\] 00aac25a8bea6f772b42999a329668ab | \[Administrator\] root | \[Section\] Content Aware Policies | \[Action Type\] EDIT | \[Before\] Policy Type--|CAP OS Type--|Mac OS X Policy Name--|macOS File Trace #1 Policy Status--|Enabled (ON) Policy Action--|Report only Policy Kind--|Standard Policy Detail Content--|{"policy-notification-template":[ ],"control-clipboard":{"name":"Clipboard","status":"0"},"clipboard-source-code-detection":{"name":"Detect Source Code","status":"0"},"clipboard-image-detection":{"name":"Detect Images","status":"0"},"control-paste":{"name":"Apply Paste restrictions to all monitored applications","status":0},"control-paste-extended":{"name":"Extend Paste restrictions to below applications","status":0},"scan-network-share":{"name":"Scan Network Share","status":"2"},"thinclient-storage":{"name":"Thin Client Drives","status":"0"},"printers":{"name":"Printers","status":"0"},"hide-cap-notifications":{"name":"Client Notifications","status":"2"},"applist":{"name":"Monitored Applications","status":"2","items":{"Instant Messaging":{"8x8 Virtual Office":{"name":"8x8 Virtual Office","status":"2"},"Adium":{"name":"Adium","status":"2"},"Agit":{"name":"Agit","status":"2"},"Baidu":{"name":"Baidu","status":"2"},"Band":{"name":"Band","status":"2"},"Daum MyPeople":{"name":"Daum MyPeople","status":"2"},"DingTalk":{"name":"DingTalk","status":"2"},"Discord":{"name":"Discord","status":"2"},"Facebook Messenger":{"name":"Facebook Messenger","status":"2"},"Hall":{"name":"Hall","status":"2"},"HipChat":{"name":"HipChat","status":"2"},"KakaoTalk":{"name":"KakaoTalk","status":"2"},"LINE":{"name":"LINE","status":"2"},"Mail.Ru Agent":{"name":"Mail.Ru Agent","status":"2"},"Mattermost":{"name":"Mattermost","status":"2"},"Messages":{"name":"Messages","status":"2"},"NateOn Messenger":{"name":"NateOn Messenger","status":"2"},"Naver Works":{"name":"Naver Works","status":"2"},"QQ international":{"name":"QQ international","status":"2"},"RingCentral":{"name":"RingCentral","status":"2"},"Rocket Chat":{"name":"Rocket Chat","status":"2"},"Signal":{"name":"Signal","status":"2"},"Skype":{"name":"Skype","status":"2"},"Slack":{"name":"Slack","status":"2"},"Telegram Desktop":{"name":"Telegram Desktop","status":"2"},"Viber":{"name":"Viber","status":"2"},"WeChat":{"name":"WeChat","status":"2"},"WeCom":{"name":"WeCom","status":"2"},"WhatsApp Desktop":{"name":"WhatsApp Desktop","status":"2"},"Zalo":{"name":"Zalo","status":"2"}},"Social Media / Others":{"ADB":{"name":"ADB","status":"2"},"AnyDesk":{"name":"AnyDesk","status":"2"},"Asana":{"name":"Asana","status":"2"},"AWS CLI":{"name":"AWS CLI","status":"2"},"Blizz":{"name":"Blizz","status":"2"},"CURL":{"name":"CURL","status":"2"},"CuteFTP":{"name":"CuteFTP","status":"2"},"Cyberduck":{"name":"Cyberduck","status":"2"},"Easy Lock":{"name":"Easy Lock","status":"2"},"FileZilla":{"name":"FileZilla","status":"2"},"GoToAssist":{"name":"GoToAssist","status":"2"},"iMazing":{"name":"iMazing","status":"2"},"iTunes":{"name":"iTunes","status":"2"},"Kies":{"name":"Kies","status":"2"},"Lark":{"name":"Lark","status":"2"},"Notion":{"name":"Notion","status":"2"},"RSYNC":{"name":"RSYNC","status":"2"},"Samsung DeX":{"name":"Samsung DeX","status":"2"},"SCP":{"name":"SCP","status":"2"},"SFTP":{"name":"SFTP","status":"2"},"Smart Switch":{"name":"Smart Switch","status":"2"},"TeamViewer":{"name":"TeamViewer","status":"2"},"Transmit":{"name":"Transmit","status":"2"},"TweetDeck":{"name":"TweetDeck","status":"2"},"Twitter":{"name":"Twitter","status":"2"},"VNC":{"name":"VNC","status":"2"},"Webex Teams":{"name":"Webex Teams","status":"2"},"wget":{"name":"wget","status":"2"},"Zoom":{"name":"Zoom","status":"2"}},"Cloud Services / File Sharing":{"Adobe Creative Cloud":{"name":"Adobe Creative Cloud","status":"2"},"Airdrop Incoming":{"name":"Airdrop Incoming","status":"2"},"Airdrop Outgoing":{"name":"Airdrop Outgoing","status":"2"},"Android File Transfer":{"name":"Android File Transfer","status":"2"},"Apple Remote Desktop":{"name":"Apple Remote Desktop","status":"2"},"BitTorrent":{"name":"BitTorrent","status":"2"},"Bluetooth Incoming":{"name":"Bluetooth Incoming","status":"2"},"Bluetooth Outgoing":{"name":"Bluetooth Outgoing","status":"2"},"Box Drive":{"name":"Box Drive","status":"2"},"ChatGPT":{"name":"ChatGPT","status":"2"},"Claude":{"name":"Claude","status":"2"},"Dropbox":{"name":"Dropbox","status":"2"},"Evernote":{"name":"Evernote","status":"2"},"FileCloud Sync Client":{"name":"FileCloud Sync Client","status":"2"},"FTP Command":{"name":"FTP Command","status":"2"},"GitHub Client":{"name":"GitHub Client","status":"2"},"Google Drive Client":{"name":"Google Drive Client","status":"2"},"hubiC":{"name":"hubiC","status":"2"},"iBooks Author":{"name":"iBooks Author","status":"2"},"iPhone Mirroring":{"name":"iPhone Mirroring","status":"2"},"MediaFire Desktop":{"name":"MediaFire Desktop","status":"2"},"MEGA":{"name":"MEGA","status":"2"},"Microsoft Remote Desktop":{"name":"Microsoft Remote Desktop","status":"2"},"Microsoft Teams":{"name":"Microsoft Teams","status":"2"},"MyBOX":{"name":"MyBOX","status":"2"},"NextCloud":{"name":"NextCloud","status":"2"},"Notejoy":{"name":"Notejoy","status":"2"},"Novell Filr Desktop ":{"name":"Novell Filr Desktop","status":"2"},"OneDrive":{"name":"OneDrive","status":"2"},"OneDrive for Business ":{"name":"OneDrive for Business","status":"2"},"ownCloud Client":{"name":"ownCloud Client","status":"2"},"Pogoplug Backup":{"name":"Pogoplug Backup","status":"2"},"Send Anywhere":{"name":"Send Anywhere","status":"2"},"SendSpace":{"name":"SendSpace","status":"2"},"SideSync":{"name":"SideSync","status":"2"},"SimpleHelp Technician":{"name":"SimpleHelp Technician","status":"2"},"Slab":{"name":"Slab","status":"2"},"SugarSync":{"name":"SugarSync","status":"2"},"Transmission":{"name":"Transmission","status":"2"},"uTorrent":{"name":"uTorrent","status":"2"},"VirtualBox":{"name":"VirtualBox","status":"2"},"VMWare Fusion":{"name":"VMWare Fusion","status":"2"},"Webhard":{"name":"Webhard","status":"2"},"WeTransfer":{"name":"WeTransfer","status":"2"},"Yandex Disk":{"name":"Yandex Disk","status":"2"}},"E-mail":{"AirMail Beta":{"name":"AirMail Beta","status":"2"},"Foxmail":{"name":"Foxmail","status":"2"},"GyazMail":{"name":"GyazMail","status":"2"},"Mail":{"name":"Mail","status":"2"},"Mailspring":{"name":"Mailspring","status":"2"},"Outlook":{"name":"Outlook","status":"2"},"Thunderbird":{"name":"Thunderbird","status":"2"}},"Web Browser":{"Brave":{"name":"Brave","status":"2"},"Chrome":{"name":"Chrome","status":"2"},"Chromium":{"name":"Chromium","status":"2"},"Firefox":{"name":"Firefox","status":"2"},"iCab":{"name":"iCab","status":"2"},"Maxthon":{"name":"Maxthon","status":"2"},"Microsoft Edge":{"name":"Microsoft Edge","status":"2"},"Opera":{"name":"Opera","status":"2"},"Pale Moon":{"name":"Pale Moon","status":"2"},"Safari":{"name":"Safari","status":"2"},"SeaMonkey":{"name":"SeaMonkey","status":"2"},"Vivaldi":{"name":"Vivaldi","status":"2"},"Whale":{"name":"Whale","status":"2"},"Yandex":{"name":"Yandex","status":"2"}}}},"file-type":{"name":"Monitored File Types","status":"2","items":{"Archive Files":{"7z":{"status":"2","name":"7z"}},"Other Files":{"SBF":{"status":"2","name":"SBF"}},"CAD Files":{"IGS":{"status":"2","name":"IGS"}},"Graphic Files":{"JPEG":{"status":"2","name":"JPEG"},"PNG":{"status":"2","name":"PNG"},"GIF":{"status":"2","name":"GIF"},"BMP":{"status":"2","name":"BMP"},"TIFF":{"status":"2","name":"TIFF"},"EPS":{"status":"2","name":"EPS"},"DJV":{"status":"2","name":"DJV"},"CGM":{"status":"2","name":"CGM"},"ICO":{"status":"2","name":"ICO"},"CorelDraw":{"status":"2","name":"CorelDraw"},"Corel Photo-Paint":{"status":"2","name":"Corel Photo-Paint"},"PSD":{"status":"2","name":"PSD"},"Adobe InDesign":{"status":"2","name":"Adobe InDesign"},"Adobe Illustrator":{"status":"2","name":"Adobe Illustrator"},"BPF":{"status":"2","name":"BPF"},"Maya 3D":{"status":"2","name":"Maya 3D"},"WEBP":{"status":"2","name":"WEBP"},"HEIC":{"status":"2","name":"HEIC"}},"Office Files":{"PDF":{"status":"2","name":"PDF"},"Excel":{"status":"2","name":"Excel"},"Word":{"status":"2","name":"Word"},"PowerPoint":{"status":"2","name":"PowerPoint"},"Infopath":{"status":"2","name":"Infopath"},"Publisher":{"status":"2","name":"Publisher"},"Outlook":{"status":"2","name":"Outlook"},"Office2003+/password":{"status":"2","name":"Office2003+/password"},"iWork files":{"status":"2","name":"iWork files"},"CSV":{"status":"2","name":"CSV"},"Project":{"status":"2","name":"Project"},"Encrypted PDF":{"status":"2","name":"Encrypted PDF"}}}},"mimetype-whitelist":{"name":"MIME Type Allowlist","list":{"Other Files":{"exe, sys, dll":"exe, sys, dll","so":"so"},"Media Files":{"mp3":"mp3","aif":"aif","m3u":"m3u","m4a,mp4":"m4a,mp4","wav":"wav","wma":"wma","avi":"avi","mov":"mov","MATROSKA":"MATROSKA","mxf":"mxf","WEBM":"WEBM"}}},"applicable_filetypes":[ ],"contextual_rules":[ ]} Groups  --|MTP 장치허용 그룹 Groups  --|Linux Group #1 Groups  --|Android 개발자 그룹 #1 Groups  --|iOS 개발자 그룹 #1 Groups  --|개발자 그룹 #2 Groups  --|Netwirx-Group-01 Groups  --|Allowed RODC Password Replication Group Groups  --|Cert Publishers Groups  --|ChangeAuditor Administrators - DEFAULT Groups  --|ChangeAuditor Operators - DEFAULT Groups  --|Cloneable Domain Controllers Groups  --|Denied RODC Password Replication Group Groups  --|DnsUpdateProxy Groups  --|Domain Admins Groups  --|Domain Computers Groups  --|Domain Controllers Groups  --|Domain Guests Groups  --|Domain Users Groups  --|DnsAdmins Groups  --|Enterprise Key Admins Groups  --|Enterprise Admins Groups  --|Enterprise Read-only Domain Controllers Groups  --|Group Policy Creator Owners Groups  --|Key Admins Groups  --|Protected Users Groups  --|RAS and IAS Servers Groups  --|Read-only Domain Controllers Groups  --|Schema Admins Groups  --|ChangeAuditor Web Shared Overview Users - DEFAULT Groups  --|4321 Groups  --|Remove Log Groups  --*    ???

4) What we have tried so far

• Reproduced the behavior on multiple CAP EDIT events; it is consistent, not a one-off.
• Confirmed the syslog packets are being delivered to rsyslog over TCP/5514 (no transport-layer drop).
• We have not changed the syslog format, because the EPP UI in 2604.01 does not appear to provide a format selector in the syslog configuration.

Questions

1. Is there a known maximum message size (bytes / characters) for Admin Action events sent via syslog from EPP, and is it configurable? If it is a hard limit in 2604.01, is it lifted in a later build?
2. Is the syslog truncation for long Admin Action payloads (Groups / Computers / Users lists in CAP EDIT) a known issue in 2604.01? If so, is there a fix, hotfix, or recommended workaround?
3. For the console Before/After comparison of a CAP EDIT event, the setting that was actually changed (in our case, the CAP Exit Point) is not displayed on either the Before or the After side. Is this expected behavior, or a logging defect? If expected, how are we supposed to determine which Exit Point was modified for audit purposes? If it is a defect, can you advise how to collect diagnostic data and whether a fix is available?
4. Is there an alternative way to obtain the full Admin Action detail (for example, a different syslog format, an API endpoint, a database query, or an export) so that we can reliably audit CAP policy changes — including Exit Point changes — end-to-end?

Thank you for your help.