-
Titre
How do I view logs and audit users ? -
Description
How do I view logs and audit users ? -
Résolution
Commands can be replayed by an administrator using the “pmreplay” utility. The input and output of commands executed with Privilege Manager are stored within the “iologs” directory and are organised by profile, user and command by default.
# pmreplay <I/O Log Filename>
The details of each command executed with Privilege are added to the event log which can be viewed using the “pmlog” utility.Example:
To view all the commands executed by a particular user on a set day you would type:
# pmlog -c ' user==“earl" && date=="2009/08/19" ‘
Accept 2009/08/19 14:43:39 earl@sol10master.democorp.local -> root@sol10master
service
Command finished with exit status 0
Reject 2009/08/19 16:11:54 earl@sol10master.democorp.local
shutdownTo find out what the I/O log Filename to replay you can do the "pmlogsearch" command on the policy server as root.
Example:
[root@gbpm4spol sbin]# pmlogsearch --after "2016/01/01 00:00:01"Search matches 5 events2018/05/04 15:10:25 : Reject : gboudreau@gb-rh-6.idm.hal.labRequested : root@gb-rh-6.idm.hal.lab : /opt/quest/bin/vastool info servers2018/05/04 15:10:15 : Reject : gboudreau@gb-rh-6.idm.hal.labRequested : root@gb-rh-6.idm.hal.lab : /opt/quest/bin/vastool -v2018/05/04 15:09:42 : Reject : gboudreau@gb-rh-6.idm.hal.labRequested : root@gb-rh-6.idm.hal.lab : su -2018/05/04 15:09:25 : Accept : gboudreau@gb-rh-6.idm.hal.labRequested : root@gb-rh-6.idm.hal.lab : /opt/quest/bin/vastool statusExecuted : root@gb-rh-6.idm.hal.lab : /opt/quest/bin/vastool statusIO Log : gbpm4spol.idm.hal.lab:/var/opt/quest/qpm4u/iolog/gboudreau/root/vastool_20180504_1509_F6NPhFExample:pmreplay /var/opt/quest/qpm4u/iolog/gboudreau/root/vastool_20180504_1509_F6NPhFIf you have setup and configured the Management Console for Unix, you can view event logs or replay keystroke logs from the Policy tab of the management console if you are logged in either as the supervisor or an Active Directory account with rights to audit the policy file; that is,an account in the Audit Sudo Policy or Audit PM Policy role. For more information about this see the Management Console for Unix Admin Guide available on the Support Portal support.oneidentity.com.