The logs location and what is logged to syslog. Can it be integrated with splunk? Where are the sudo policy changes logged? (4285179)

The log file for sudo policy changes are stored in the repository in subversion.  They are encrypted and not human readable and cannot be sent to splunk. You can see the sudoers file changes by unix commnad line by typing "pmpolicy log" on the policy server. There is also a Management Console report for the policy changes.

In the default configuration for Privilege Manager, the pmmasterd process on the policy servers will log accept and reject messages to syslog whenever the policy server accepts or rejects a session request from a sudo plugin. Likewise, the local pmmasterd will log accept and reject messages when accepting or rejecting a local session during an offline policy evaluation. Other services like pmlogsrvd, pmserviced, pmpluginloadcheck will also log various information to syslog.

The location of the logfile for syslog messages depends on the systems syslogd configuration. Please refer to your systems manpage on syslogd(8) for more information. On RedHat Linux systems, syslogd is usually configured to report *.info messages (messages with a severity of "info" or greater) will be logged to /var/log/messages.