Viewing the log files using command line tools
Using command line tools, you can list events and replay log files directly from the primary policy server using the pmlogsearch, pmreplay, and pmremlog commands.
pmlogsearch
pmlogsearch is a simple search utility based on common criteria. Run pmlogsearch on the primary server to query the logs on all servers in the policy group. pmlogsearch provides a summary report on events and keystroke logs matching at least one criteria. pmlog provides a more detailed report on events than pmlogsearch.
Hostnames may appear in the event logs and keystroke log files in either fully qualified format (myhost.mycompany.com) or in short name format (myhost), depending on how hostnames are resolved and the use of the short name setting in the pm.settings file. To ensure that either format is matched, use the short host name format with an asterisk wildcard (myhost*) when specifying a hostname search criteria.
See pmlogsearch for more information about the syntax and usage of the pmlogsearch command.
pmlogsearch performs a search across all policy servers in the policy group and returns a list of events (and associated keystroke log file names) for requests matching the specified criteria. You specify search criteria using the following options (you must specify at least one search option):
Table 9: Search criteria options
| --after "YYYY/MM/DD hh:mm:ss" |
Search for sessions initiated after the specified date and time. |
| --before "YYYY/MM/DD hh:mm:ss" |
Search for sessions initiated before the specified date and time. |
| --host hostname |
Search for sessions that run on the specified host. |
| --result accept|reject |
Return only events with the indicated result. |
| --text keyword |
Search for sessions containing the specified text. |
|
--user username |
Search for sessions by the specified requesting user. |
The following pmlogsearch options support the use of wildcards, such as * and ?:
To match one or more characters, you can use wild card characters (such as ? and *) with the --host, --text, and --user options; but you must enclose arguments with wild cards in quotes to prevent the shell from interpreting the wild cards.
If there is a keystroke log associated with the event, it displays the log host and pathname along with the rest of the event information.
The following example lists two events with keystroke (IO) logs:
# pmlogsearch --user sally
Search matches 2 events
2013/03/16 10:40:02 : Accept : sally@qpmsrv1.example.com
Request: sally@qpmsrv1.example.com : id
Executed: root@qpmsrv1.example.com : id
IO Log: qpmsrv1.example.com:/opt/quest/qpm4u/iologs/demo/sally/id_20120316_1040_ESpL6L
2013/03/16 09:56:22 : Accept : sally@qpmsrv2.example.com
Request: sally@qpmsrv2.example.com : id
Executed: root@qpmsrv2.example.com : id
IO Log: qpmsrv2.example.com:/opt/quest/qpm4u/iologs/demo/sally/id_20120316_0956_mrVu4I
pmreplay
You can use the pmreplay command to replay a keystroke log file if it resides on the local policy server.
To replay the log, run:
# pmreplay <path_to_keystroke_log>
For example, the following command replays the first ls -l /etc log from the previous example:
# pmreplay /opt/quest/qpm4u/iologs/demo/sally/id_20120316_1040_ESpL6L
pmremlog
If the keystroke log resides on a remote policy server, you can use the pmremlog command with the -h <remote_host> and -p pmreplay options to remotely replay a keystroke log file. You specify the path argument to the remote pmreplay after the -- flag.
For example, enter the following command all on one line:
# pmremlog -h qpmsrv2 -p pmreplay -- /opt/quest/qpm4u/iologs/demo/sally/id_20120316_0956_mrVu4I
Host names may appear in the event logs and keystroke log files in either fully qualified format (myhost.mycompany.com) or in short-name format (myhost), depending on how host names are resolved and the use of the shortnames setting in the pm.settings file. To ensure that either format is matched, when you specify a host name search criteria, use the short-host name format with an asterisk wild card (For example, myhost*).
Listing event logs
You can list the events that are logged when you run a command, whether accepted or rejected by the policy server.
Keystroke logs are related to events. When you run a command, such as sudo whoami, the policy server either accepts or rejects the command based on the policy. When the policy server accepts the command, it creates an event and a corresponding keystroke log. If it rejects the event, it does not create a keystroke log. In order to view a keystroke log, you must first list events to find a particular keystroke log.
The pmlog command displays event log entries, such as events by date and time, host, user, run user, command, and result.
To display a list of events from the command line on the policy server
- From the command line, enter:
# pmlog --after "2011/05/06 00:00:00" --user "tuser"
pmlog provides direct and flexible access to the event logs on the local policy server and is capable of complex queries.
If you run a command, you might see output similar to the following which indicates the policy server has successfully accepted or rejected commands:
Accept 2011/05/11 13:20:04 tuser@ myhost.example.com -> root@ myhost.example.com
whoami
Command finished with exit status 0
Accept 2011/05/11 14:05:58 tuser@ myhost.example.com -> root@ myhost.example.com
whoami
Command finished with exit status 0
Reject 2011/05/11 14:06:17 tuser@ myhost.example.com
Fakecmd
The following pmlog options support the use of wildcards, such as * and ?:
- --user
- --runuser
- --reqhost
- --runhost
- --masterhost
You can also use the pmremlog command on the primary policy server to run pmlog on secondary policy servers. For example:
# pmremlog -h polsrv2 -p pmlog -- --user myuser --command sh
Related Topics
pmlog
pmremlog
Backing up and archiving event and keystroke logs
Use the pmlogadm program to perform backup or archive operations on a policy server's event log database. Because Safeguard stores keystroke logs in individual flat files on the policy server, you may use standard Unix commands to back up or archive them. Make sure the keystroke log files are not associated with active sessions prior to backup or archive.
Disabling and enabling services
While pmlogadm can perform the backup and archive operations on a live event log database, for best results we recommend that you follow these steps prior to performing a backup or archive.
- Stop the pmserviced and pmlogsrvd services.
This example shows how to disable services on Redhat Linux systems: # service pmserviced stop
Stopping pmserviced service: done
# service pmlogsrvd stop
Stopping pmlogsrvd service: done
- Ensure there are no running pmmasterd processes:
# ps -ef | grep pmmasterd
A running pmmasterd process indicates that there may be an active Safeguard session.
This procedure also allows you to safely backup or archive any keystroke log files. Once the backup or archive operation has completed, remember to restart the pmserviced and pmlogsrvd services.
This example shows how to restart the services on Redhat Linux systems:
# service pmlogsrvd start
Starting pmlogsrvd service: done
# service pmserviced start
Starting pmserviced service: done
Backing up event logs
The pmlogadm backup command creates a clean backup copy of your event log database.
This example performs a backup of the current event log database, placing the copy in the /backup directory:
# pmlogadm backup /var/opt/quest/qpm4u/pmevents.db /backup
5 / 208 pages complete
10 / 208 pages complete
...
205 / 208 pages complete
208 / 208 pages complete
Backing up keystroke logs
Safeguard stores the keystroke logs in individual files and do not require any special commands for processing.
This example uses the unix cp command to recursively copy the keystroke logs to the /backup directory:
# cp -r /var/opt/quest/qpm4u/iolog /backup
Archiving event logs
The pmlogadm archive command creates an archive of old event logs and removes the old event logs from the current database. The following example archives logs for all events that occurred before April 1, 2014 from the current event log database, creating an archive database in the /archive/2014Q1 directory.
If you omit the --no-zip option, pmlogadm also creates a tar-gzip'ed archive of the database files.
# pmlogadm archive /var/opt/quest/qpm4u/pmevents.db 2014Q1 \
--dest-dir /archive --no-zip --before "2014-04-01 00:00:00"
Archive Job Summary
Source Log : /var/opt/quest/qpm4u/pmevents.db
Archive Name : 2014Q1
Destination Dir : /archive
Zip Archive : No
Cut off time : 2014/04/01 00:00:00
No pmlogsrvd pid file found, assuming service is not running.
X events will be archived.
Adding events to the archive.
Verifying archive.
Archive verification completed successfully. Removing events from source log.
Archive task complete.
Archiving keystroke logs
You can use the pmlog command with some carefully chosen options to get a list of keystroke logs associated with the event logs you archive. In this example, you process the list generated by pmlog, with the Unix xargs and mv commands to move the keystroke logs into the /archive/2014Q1/iolog directory.
# mkdir /archive/2014Q1/iolog
# pmlog -f /archive/2014Q1/archive.db \
-c "defined iolog && length(iolog) != 0" -p iolog \
| xargs -i{} mv {} /archive/2014Q1/iolog
The usage of the xargs command may differ depending on your platform.
Supported sudo plugins
Safeguard for Sudo supports loading the following sudo-compatible plugins on the policy server:
-
Approval plugin
-
Audit plugin
You can write these sudo plugins both in C and in Python.
To load a sudo audit or approval plugin on a policy server, you must configure the plugins in the sudoers policy file located in /etc/opt/quest/qpm4u/policy/sudoers by default. On a policy server that supports multiple policies, you can have different plugins configured for each policy.
Syntax
Safeguard for Sudo does not use the /etc/sudo.conf file to load modules. Safeguard for Sudo uses the sudoers policy file and it uses a slightly different syntax.
The syntax of the /etc/sudo.conf file is the following:
Plugin symbol_name plugin_file.so plugin_arguments...
The syntax of the Safeguard for Sudo sudoers policy file is the following:
Defaults plugins += "symbol_name plugin_file.so plugin_arguments..."
Where:
-
symbol_name is the name of the symbol used to look up the plugin.
-
plugin_file.so is the path to the plugin file.
-
plugin_arguments are optional arguments passed to the plugin. For Python plugins, the arguments are used to find the Python script to load.
For more information about the audit and approval plugins, see the Sudo Plugin API and Sudo Python Plugin API man pages.
