Sudo Policy Changes:
The log file for sudo policy changes are stored in the repository in subversion. They are encrypted and not human readable and cannot be sent to splunk. You can see the sudoers file changes by unix commnad line by typing "pmpolicy log" on the policy server. There is also a Management Console report for the policy changes.
What is logged to syslog:
In the default configuration for Privilege Manager, the pmmasterd process on the policy servers will log accept and reject messages to syslog whenever the policy server accepts or rejects a session request from a sudo plugin. Likewise, the local pmmasterd will log accept and reject messages when accepting or rejecting a local session during an offline policy evaluation. Other services like pmlogsrvd, pmserviced, pmpluginloadcheck will also log various information to syslog.
The location of the logfile for syslog messages depends on the systems syslogd configuration. Please refer to your systems manpage on syslogd(8) for more information. On RedHat Linux systems, syslogd is usually configured to report *.info messages (messages with a severity of "info" or greater) will be logged to /var/log/messages.
Here are some useful commands for the product:
pmservinfo - This will show you location of the repository but it cannot be read
List the policy revisions
The below include examples of commands where the policy revision exist and show in pmpolicy log results:
Revert the policy to previous version:
pmpolicy revert -r 3
Compare revisions of the policies:
/opt/quest/sbin/pmpolicy diff -r 28:29
Checkout policy and creates directory in /tmp
pmpolicy checkout -d /tmp
Pmpolicy checkout -r 28 -d /tmp/28
Committ/Save the policy:
pmpolicy commit -d /tmp/29