Return
-
Title
How to use pmlogadm archive to archive old event logs -
Description
The pmevents.db is growing too large. Is there a way to manage the size of pmevents.db?
How to use pmlogadm archive to archive old event logs.
-
Resolution
The pmlogadm archive command creates an archive of old event logs and removes the old event logs from the current database. The command is available in Privilege Manager for Sudo 2.0 hotfix 6.0.0.040 and up and Privilege Manager for Unix 6.0.0.040 and up.
NOTE: pmserviced and pmlogsrvd daemons should be disabled, and all pmmasterd processes finish before running a pmlogadm archive. If pmlogsrvd is not disabled results will be mixed. pmlogsrvd is responsible for updating the pmevents database with any new events, so pmlogadm may have difficulty getting a lock on the database if it's constantly being updated.
Usage: pmlogadm archive --beforepmlogadm archive --older-thanOptions:--dest-dir Specify destination directory for the archive.--no-zip Do not tar and gzip the output archive.--clean-source
After removing events from the source run a cleaning process that may free more disk space. May significantly increase the time taken. Requires free disk space approximately equal to the size of the source log while the cleaning process executes.
The following example archives logs for all events that occurred before April 1, 2014from the current event log database, creating an archive database in the /archive/2014Q1 directory.
Note: If you omit the --no-zip option, pmlogadm also creates a tar-gzip'ed archive of the database files.
EXAMPLE 1:pmlogadm archive /var/opt/quest/qpm4u/pmevents.db 2014Q1 \--dest-dir /archive --no-zip --before "2014-04-01 00:00:00"
Archive Job SummarySource Log : /var/opt/quest/qpm4u/pmevents.dbArchive Name : 2014Q1Destination Dir : /archiveZip Archive : NoCut off time : 2014/04/01 00:00:00No pmlogsrvd pid file found, assuming service is not running.X events will be archived.Adding events to the archive.Verifying archive.Archive verification completed successfully. Removing events from source log.Archive task complete.
EXAMPLE 2:pmlogadm archive /var/opt/quest/qpm4u/pmevents.db testarchive --dest-dir /tmp --older-than 7
Archive Job SummarySource Log : /var/opt/quest/qpm4u/pmevents.dbArchive Name : testarchiveDestination Dir : /tmpZip Archive : YesCut off time : 2014/10/14 00:00:001 events will be archived.Adding events to the archive.Verifying archive.Archive verification completed successfully. Removing events from source log.Archive task complete.
The archiving needs to be done on all policy servers, as each policy server stores the logs for the sudo sessions they service.For how to archive the keystroke logs aka iologs please see the following KB Article 226965
For more information on backing up and archiving event and keystroke log please see the Privilege Manager Administrator's Guide.
-
Change Request
304152