Controlling logs
The following variables are used to control the logging of program input and output through Privilege Manager for Unix.
Table 19: Logging variables
iolog |
If set to a filename, the iolog variable logs all of the information from the logstdin, logstdout, and logstderr variables to the specified filename. |
logstderr |
If set to true, the logstderr variable logs any error responses. |
logstdin |
If set to true, the logstdin variable logs all information coming in from standard input. |
logstdout |
If set to true, the logstdout variable logs all information being displayed to standard output. |
For details about these logging variables, refer to Global output variables.
To log the input, output and error I/O streams from a request, set logstdin, logstdout, and logstderr to true. Set iolog to the name of the log file. After Privilege Manager for Unix completes the request, you can use the pmreplay command to replay the session that was logged.
You can limit the amount of data logged for each stream. This avoids filling up the I/O logs with large amounts of output from benign commands, such as when using cat or tail to display a large file. You can limit the I/O logging to the first n bytes of the output. For example, to log only the first 500 bytes of stdout, enter:
iolog_opmax=500;
The following example ensures that whenever you run the adduser program through Privilege Manager for Unix, it logs all input and output in the specified file:
if(command=="adduser") {
iolog="/var/log/iolog/" + user + mktemp("_XXXXXX");
logstdin=true;
logstdout=true;
logstderr=true;
runuser="root";
accept;
}
Local logging
The location of the error logs for the Privilege Manager for Unix components, pmrun, pmlocald, and pmmasterd, is specified using keywords in the pm.settings file. Enter the following to specify that you want the error logs written to the /var/adm directory:
pmlocaldlog /var/adm/pmlocald.log
pmmasterdlog /var/adm/pmmasterd.log
pmrunlog /var/adm/pmrun.log
Alternatively, you can enable UNIX syslog error logging in the pm.settings file, by specifying:
syslog YES
Use one of the following keywords to specify which syslog facility to use:
- LOG_KERN
- LOG_USER
- LOG_MAIL
- LOG_DAEMON
- LOG_AUTH (the default)
- LOG_LPR
- LOG_NEWS
- LOG_UUCP
- LOG_CRON
- LOG_LOCAL0 through LOG_LOCAL7
For example, to enable syslog error logging using the LOG_AUTH facility, enter in the pm.settings file:
syslog YES
facility LOG_AUTH
See PM settings variables for more information about modifying the Privilege Manager for Unix configuration settings.
Event logging
Event logs are enabled by default for all requests sent to the Privilege Manager for Unix Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.
When using the pmpolicy type, you can change the location of the event log, or disable event logging for a specific request by modifying the eventlog policy variable. For example, to disable event logging for all pmlist commands, add the following code to your security policy:
if (basename(command) == "pmlist") { eventlog=""; }
The following pmpolicy variables affect event log settings:
Table 20: Event logging policy variables
eventlog |
string |
The name of the file in which events (acceptances, rejections, and completions) are logged. (Default is /var/opt/quest/qpm4u/pmevents.db.)
This must be a full pathname starting with a / (slash). For example: eventlog = "/var/logs/pmevents.db";
If the log file name you specify in the policy file cannot be opened, Privilege Manager for Unix automatically logs all events in the default log file.
See also eventlog. |
logomit |
list |
Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.
See also logomit. |
export |
varname |
Specify a local variable to add to the event log. (Refer to Operators and expressions for more information about export.) |
For example, enter the following to specify that you want to:
- record event log in /var/adm/pmevents.db
- not include the env and runenv variables in the logs
eventlog = "/var/adm/pmevents.db";
logomit = {"env","runenv"};
Keystroke (I/O) logging
Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Privilege Manager for Unix licensing for details.
You can enable keystroke logging using the iolog variable. If this variable is not defined or is an empty string, keystroke logging is disabled. Otherwise, specify the full path to the keystroke log using iolog variable. See iolog for details.
If you use the default profile-based policy, iolog is defined in the profileBasedPolicy.conf file as:
iolog=mktemp("/var/opt/quest/qpm4u/iolog/"
+ profile
+ "/"
+ user
+ "/"
+ basename(runcommand)
+ "_"
+ strftime("%Y%m%d_%H%M")
+ "_XXXXXX");
You can enable keystroke logging on a per profile basis by editing the profile and shellprofile files, and setting the pf_keystrokelogging variable to true or false.
The following variables affect keystroke log settings when using the pmpolicy type:
- iolog
- iolog_encrypt
- iolog_opmax
- iologhost
- logomit
- logstderr
- logstdin
- logstdout
- log_passwords
For details about these variables, refer to the Global output variables.