Use the pmlogadm program to perform backup or archive operations on a policy server's event log database. Because Safeguard stores keystroke logs in individual flat files on the policy server, you may use standard Unix commands to back up or archive them. Make sure the keystroke log files are not associated with active sessions prior to backup or archive.
While pmlogadm can perform the backup and archive operations on a live event log database, for best results we recommend that you follow these steps prior to performing a backup or archive.
# service pmserviced stop Stopping pmserviced service: done # service pmlogsrvd stop Stopping pmlogsrvd service: done
# ps -ef | grep pmmasterd
A running pmmasterd process indicates that there may be an active Safeguard session.
This procedure also allows you to safely backup or archive any keystroke log files. Once the backup or archive operation has completed, remember to restart the pmserviced and pmlogsrvd services.
This example shows how to restart the services on Redhat Linux systems:
# service pmlogsrvd start Starting pmlogsrvd service: done # service pmserviced start Starting pmserviced service: done
The pmlogadm backup command creates a clean backup copy of your event log database.
This example performs a backup of the current event log database, placing the copy in the /backup directory:
# pmlogadm backup /var/opt/quest/qpm4u/pmevents.db /backup 5 / 208 pages complete 10 / 208 pages complete ... 205 / 208 pages complete 208 / 208 pages complete
Safeguard stores the keystroke logs in individual files and do not require any special commands for processing.
This example uses the unix cp command to recursively copy the keystroke logs to the /backup directory:
# cp -r /var/opt/quest/qpm4u/iolog /backup
The pmlogadm archive command creates an archive of old event logs and removes the old event logs from the current database. The following example archives logs for all events that occurred before April 1, 2014 from the current event log database, creating an archive database in the /archive/2014Q1 directory.
If you omit the --no-zip option, pmlogadm also creates a tar-gzip'ed archive of the database files.
# pmlogadm archive /var/opt/quest/qpm4u/pmevents.db 2014Q1 \ --dest-dir /archive --no-zip --before "2014-04-01 00:00:00" Archive Job Summary Source Log : /var/opt/quest/qpm4u/pmevents.db Archive Name : 2014Q1 Destination Dir : /archive Zip Archive : No Cut off time : 2014/04/01 00:00:00 No pmlogsrvd pid file found, assuming service is not running. X events will be archived. Adding events to the archive. Verifying archive. Archive verification completed successfully. Removing events from source log. Archive task complete.
You can use the pmlog command with some carefully chosen options to get a list of keystroke logs associated with the event logs you archive. In this example, you process the list generated by pmlog, with the Unix xargs and mv commands to move the keystroke logs into the /archive/2014Q1/iolog directory.
# mkdir /archive/2014Q1/iolog
# pmlog -f /archive/2014Q1/archive.db \
-c "defined iolog && length(iolog) != 0" -p iolog \
| xargs -i{} mv {} /archive/2014Q1/iolog
The usage of the xargs command may differ depending on your platform.
To help you troubleshoot, One Identity recommends the following resolutions to some of the common problems you might encounter as you deploy and use Safeguard.
Enabling sudo policy debug logging
Enabling tracing for Sudo Plugin
Join fails to generate a SSH key for sudo policy
Join to policy group failed on Sudo Plugin
Load balancing and policy updates
Debug logs can help you determine if the sudo options are being enabled correctly in the policy.
To enable debug logging for Sudo policy
Debug sudo /var/log/sudo_debug all@debug
For systems without a /var/log directory, use /var/adm/sudo_debug instead.
Since the Sudo Plugin is not a program, the /tmp/pmplugin.ini file needs be manually created in order to enable tracing for the Sudo Plugin itself.
To create the .ini file to enable tracing for the Sudo Plugin
printf 'FileName=/tmp/pmplugin.trc\nLevel=0xffffffff\n' > /tmp/pmplugin.ini
© ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz Cookie Preference Center