So would I.
The SE_AUDITID_IPSEC_POLICY_CHANGED
itself is straightforward. This is a security audit event
that normally is used to record that the policy controlling
what IPsec does has been modified.
IPsec would have had to have been manually configured
by someone on the system for it to be doing anything as
in the default install state it is there by not used.
Once configured IPsec can control what IPs your machine
will and will not talk to / hear from on the network and
also in what ways it will do so.
Now, when this audit event is usually seen it is written
to the log in a way so that the %1, %2, %3 have been
replaced with phrases and these phrases provide info on
who,when where the change was made.
That you are seeing the message but without the proper
information substituted is where I become unable to
inform you.
