Commands can be replayed by an administrator using the “pmreplay” utility. The input and output of commands executed with Privilege Manager are stored within the “iologs” directory and are organised by profile, user and command by default.
# pmreplay <I/O Log Filename>
The details of each command executed with Privilege are added to the event log which can be viewed using the “pmlog” utility.
To view all the commands executed by a particular user on a set day you would type:
# pmlog -c ' user==“earl" && date=="2009/08/19" ‘
Accept 2009/08/19 14:43:39 email@example.com -> root@sol10master
Command finished with exit status 0
Reject 2009/08/19 16:11:54 firstname.lastname@example.org
To find out what the I/O log Filename to replay you can do the "pmlogsearch" command on the policy server as root.
[root@gbpm4spol sbin]# pmlogsearch --after "2016/01/01 00:00:01"
Search matches 5 events
2018/05/04 15:10:25 : Reject : email@example.com
Requested : firstname.lastname@example.org : /opt/quest/bin/vastool info servers
2018/05/04 15:10:15 : Reject : email@example.com
Requested : firstname.lastname@example.org : /opt/quest/bin/vastool -v
2018/05/04 15:09:42 : Reject : email@example.com
Requested : firstname.lastname@example.org : su -
2018/05/04 15:09:25 : Accept : email@example.com
Requested : firstname.lastname@example.org : /opt/quest/bin/vastool status
Executed : email@example.com : /opt/quest/bin/vastool status
IO Log : gbpm4spol.idm.hal.lab:/var/opt/quest/qpm4u/iolog/gboudreau/root/vastool_20180504_1509_F6NPhF
If you have setup and configured the Management Console for Unix, you can view event logs or replay keystroke logs from the Policy tab of the management console if you are logged in either as the supervisor or an Active Directory account with rights to audit the policy file; that is,
an account in the Audit Sudo Policy or Audit PM Policy role. For more information about this see the Management Console for Unix Admin Guide available on the Support Portal support.oneidentity.com.