Chat now with support
Chat with Support

Safeguard for Sudo 2.0 - Administrators Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration
Download Privilege Manager for Unix Software Packages Download Privilege Manager for Sudo Software Packages Quick Start and Evaluation Configure a Primary Policy Server Configure a Secondary Policy Server Install PM Agent or Sudo Plugin on a Remote Host Remove Configurations
Upgrading Privilege Manager System Administration Managing Security Policy The Privilege Manager for Unix Security Policy Advanced Privilege Manager for Unix Configuration Administering Log and Keystroke Files InTrust Plug-in for Privilege Manager Troubleshooting Privilege Manager for Unix Policy File Components Privilege Manager Variables Privilege Manager for Unix Flow Control Statements Privilege Manager for Unix Built-in Functions and Procedures Privilege Manager Programs Installation Packages Unsupported Sudo Options Sudo Plugin Policy Evaluation About us

Central Logging with Privilege Manager for Unix

Administering Log and Keystroke Files > Central Logging with Privilege Manager for Unix

Privilege Manager for Unix can configure central logging for I/O and event logs using the iologhost and eventloghost policy variables.

pmmasterd uses port number 12345 by default to communicate with the log server.

NOTE: A host that is configured as a centralized log server must have the client's keyword added to the pm.settings file to specify which policy servers may forward their I/O and event log information to this log server. (See PM Settings Variables for details.)

Figure 12: Configuring Central Logging for I/O and Event Logs

In this example, master1, master2, master3, and logmaster are all Privilege Manager policy servers (pmmasterd).

logmaster is configured as the centralized log host for I/O and event logs for master1, master2 and master3. To send I/O and event log information to logmaster, the policy must include the following statements:

iologhost = "logmaster"; 
eventloghost = "logmaster";

If for any reason (such as a system outage) the logs cannot be forwarded to the central logging host (logmaster in the above example), log files are stored locally on the authenticating policy server (master1, master2, or master3 in the above example). The location of the log files is specified by the tmplogdir policy variable, which defaults to var/opt/quest/qpm4u/iolog/queue. (See tmplogdir for details.)

The pm.settings file for logmaster must include the clients keyword. For example:

clients master1 master2 master3

(See PM Settings Variables for details.)

Controlling Log Size with Privilege Manager for Unix

Administering Log and Keystroke Files > Controlling Log Size with Privilege Manager for Unix

An effective strategy for controlling the size of the log file in Privilege Manager for Unix is to limit the amount of information sent to the logs. Instead of logging keystrokes for every command, you might construct a policy that only captures keystrokes for sensitive commands.

You can use policy variables to limit the information sent to the log files.

Table 24: Size-controlling logging variables
Variable Data Type Description
iolog_encrypt boolean Enables I/O logs encryption; default is "true".

Log files are encrypted with AES; view them with pmreplay.

iolog_errmax integer Limits the amount of text logged for stderr for each command.
iolog_opmax integer Limits the amount of text logged for stdout for each command. For example, if iolog_opmax is set to 500 and you enter the following command:
cat filename1
it only logs the first 500 bytes of output produced by this command.
logomit list Specifies the names of variables to omit when logging to an event log (no default). Use this to reduce the amount of disk space used by event logs.
logstderr boolean Specifies if error output is logged; default is "true".
logstdin boolean Specifies whether input is logged; default is "true".
logstdout boolean Specifies whether output is logged; default is "true".

Viewing the Log Files Using a Web Browser

Administering Log and Keystroke Files > Viewing the Log Files Using a Web Browser

If you are running Privilege Manager, you can view events using Management Console for Unix, which provides an intuitive web-based console for managing UNIX® hosts.

(Refer to the One Identity Management Console for Unix Administrator Guide for details about using the mangement console.)

Viewing the Log Files Using Command Line Tools

Administering Log and Keystroke Files > Viewing the Log Files Using Command Line Tools

If you are not running Privilege Manager with Management Console for Unix, or if you prefer to use command line tools, you can list events and replay log files directly from the primary policy server using the pmlogsearch, pmreplay, and pmremlog commands.

pmlogsearch is a simple search utility based on common criteria. Run pmlogsearch on the primary server to query the logs on all servers in the policy group. pmlogsearch provides a summary report on events and keystroke logs matching at least one criteria. pmlog provides a more detailed report on events than pmlogsearch.

NOTE: Hostnames may appear in the event logs and keystroke log files in either fully qualified format (myhost.mycompany.com) or in short name format (myhost), depending on how hostnames are resolved and the use of the short name setting in the pm.settings file. To ensure that either format is matched, use the short host name format with an asterisk wildcard (myhost*) when specifying a hostname search criteria.

See pmlogsearch for more information about the syntax and usage of the pmlogsearch command.

pmlogsearch executes a search across all policy servers in the policy group and returns a list of events (and associated keystroke log file names) for requests matching the specified criteria. You specify search criteria using the following options (you must specify at least one search option):

Table 25: Search criteria options
Command Description
--after "YYYY/MM/DD hh:mm:ss" Search for sessions initiated after the specified date and time.
--before "YYYY/MM/DD hh:mm:ss" Search for sessions initiated before the specified date and time.
--host hostname Search for sessions executed on the specified host.
--result accept|reject Return only events with the indicated result.
--text keyword Search for sessions containing the specified text.
--user username Search for sessions by the specified requesting user.

The following pmlogsearch options support the use of wildcards, such as * and ?:

  • –-host
  • –-user

To match one or more characters, you can use wild card characters (such as ? and *) with the --host, --text, and --user options; but you must enclose arguments with wild cards in quotes to prevent the shell from interpreting the wild cards.

If there is a keystroke log associated with the event, it displays the log host and pathname along with the rest of the event information.

The following example lists two events with keystroke (IO) logs:

# pmlogsearch --user sally 
Search matches 2 events 
2013/03/16 10:40:02 : Accept : sally@qpmsrv1.example.com 
   Request: sally@qpmsrv1.example.com : id 
   Executed: root@qpmsrv1.example.com : id 
   IO Log: qpmsrv1.example.com:/opt/quest/qpm4u/iologs/demo/sally/id_20120316_1040_ESpL6L 
2013/03/16 09:56:22 : Accept : sally@qpmsrv2.example.com 
   Request: sally@qpmsrv2.example.com : id 
   Executed: root@qpmsrv2.example.com : id 
   IO Log: qpmsrv2.example.com:/opt/quest/qpm4u/iologs/demo/sally/id_20120316_0956_mrVu4I

You can use the pmreplay command to replay a keystroke log file if it resides on the local policy server.

To replay the log, run:

# pmreplay <path_to_keystroke_log>

For example, the following command replays the first ls –l /etc log from the previous example:

# pmreplay /opt/quest/qpm4u/iologs/demo/sally/id_20120316_1040_ESpL6L

If the keystroke log resides on a remote policy server, you can use the pmremlog command with the –h <remote_host> and –p pmreplay options to remotely replay a keystroke log file. You specify the path argument to the remote pmreplay after the -- flag.

For example, enter the following command all on one line:

# pmremlog -h qpmsrv2 -p pmreplay -- /opt/quest/qpm4u/iologs/demo/sally/id_20120316_0956_mrVu4I

NOTE: Host names may appear in the event logs and keystroke log files in either fully qualified format (myhost.mycompany.com) or in short-name format (myhost), depending on how host names are resolved and the use of the shortnames setting in the pm.settings file. To ensure that either format is matched, when you specify a host name search criteria, use the short-host name format with an asterisk wild card (For example, myhost*).

Related Documents