Listing Event Logs
You can list the events that are logged when you run a command, whether accepted or rejected by the policy server.
Keystroke logs are related to events. When you run a command, such as sudo whoami, the policy server either accepts or rejects the command based on the policy. When the policy server accepts the command, it creates an event and a corresponding keystroke log. If it rejects the event, it does not create a keystroke log. In order to view a keystroke log, you must first list events to find a particular keystroke log.
|
|
NOTE: Quest recommends that you use Management Console for Unix for viewing event logs and replaying keystroke logs. The mangement console provides comprehensive reporting tools and an intuitive user interface for easy navigation of the event and keystroke log data. However, you can also use command line utilities to display a list of events. |
The pmlog command displays event log entries, such as events by date and time, host, user, run user, command, and result.
To display a list of events from the command line on the policy server
- From the command line, enter:
# pmlog --after "2011/05/06 00:00:00" –-user "tuser"
pmlog provides direct and flexible access to the event logs on the local policy server and is capable of complex queries.
If you run a command, you might see output similar to the following which indicates the policy server has successfully accepted or rejected commands:
Accept 2011/05/11 13:20:04 tuser@ myhost.example.com -> root@ myhost.example.com whoami Command finished with exit status 0 Accept 2011/05/11 14:05:58 tuser@ myhost.example.com -> root@ myhost.example.com whoami Command finished with exit status 0 Reject 2011/05/11 14:06:17 tuser@ myhost.example.com Fakecmd
The following pmlog options support the use of wildcards, such as * and ?:
- –-user
- –-runuser
- –-reqhost
- –-runhost
- –-masterhost
You can also use the pmremlog command on the primary policy server to run pmlog on secondary policy servers. For example:
# pmremlog –h polsrv2 –p pmlog -- --user myuser –-command sh
NOTE: See pmremlog or pmlog for more information about the syntax and usage of these commands
Backing up and archiving event and keystroke logs
Use the pmlogadm program to perform backup or archive operations on a policy server's event log database. Because Privilege Manager stores keystroke logs in individual flat files on the policy server, you may use standard Unix commands to back up or archive them. Make sure the keystroke log files are not associated with active sessions prior to backup or archive.
Disabling and enabling services
While pmlogadm can perform the backup and archive operations on a live event log database, for best results we recommend that you follow these steps prior to performing a backup or archive.
- Stop the pmserviced and pmlogsrvd services.
This example shows how to disable services on Redhat Linux systems:# service pmserviced stop Stopping pmserviced service: done # service pmlogsrvd stop Stopping pmlogsrvd service: done
- Ensure there are no running pmmasterd processes:
# ps -ef | grep pmmasterd
NOTE: A running pmmasterd process indicates that there may be an active Privilege Manager session.
This procedure also allows you to safely backup or archive any keystroke log files. Once the backup or archive operation has completed, remember to restart the pmserviced and pmlogsrvd services.
This example shows how to restart the services on Redhat Linux systems:
# service pmlogsrvd start Starting pmlogsrvd service: done # service pmserviced start Starting pmserviced service: done
Backing up event logs
The pmlogadm backup command creates a clean backup copy of your event log database.
This example performs a backup of the current event log database, placing the copy in the /backup directory:
# pmlogadm backup /var/opt/quest/qpm4u/pmevents.db /backup 5 / 208 pages complete 10 / 208 pages complete ... 205 / 208 pages complete 208 / 208 pages complete
Backing up keystroke logs
Privilege Manager stores the keystroke logs in individual files and do not require any special commands for processing.
This example uses the unix cp command to recursively copy the keystroke logs to the /backup directory:
# cp -r /var/opt/quest/qpm4u/iolog /backup
Archiving event logs
The pmlogadm archive command creates an archive of old event logs and removes the old event logs from the current database. The following example archives logs for all events that occurred before April 1, 2014 from the current event log database, creating an archive database in the /archive/2014Q1 directory.
|
|
NOTE: If you omit the --no-zip option, pmlogadm also creates a tar-gzip'ed archive of the database files. |
# pmlogadm archive /var/opt/quest/qpm4u/pmevents.db 2014Q1 \ --dest-dir /archive --no-zip --before "2014-04-01 00:00:00" Archive Job Summary Source Log : /var/opt/quest/qpm4u/pmevents.db Archive Name : 2014Q1 Destination Dir : /archive Zip Archive : No Cut off time : 2014/04/01 00:00:00 No pmlogsrvd pid file found, assuming service is not running. X events will be archived. Adding events to the archive. Verifying archive. Archive verification completed successfully. Removing events from source log. Archive task complete.
Archiving keystroke logs
You can use the pmlog command with some carefully chosen options to get a list of keystroke logs associated with the event logs you archive. In this example, you process the list generated by pmlog, with the Unix xargs and mv commands to move the keystroke logs into the /archive/2014Q1/iolog directory.
# mkdir /archive/2014Q1/iolog
# pmlog -f /archive/2014Q1/archive.db \
-c "defined iolog && length(iolog) != 0" -p iolog \
| xargs -i{} mv {} /archive/2014Q1/iolog
|
|
NOTE: The usage of the xargs command may differ depending on your platform. |
InTrust Plug-in for Privilege Manager
Installing InTrust Plug-in Components
InTrust Plug-in Installation Prerequisites
Configuring the Policy Server for the InTrust Plug-in
Installing the InTrust Knowledge Pack
InTrust Knowledge Pack Objects
Installing the InTrust Reporting Pack
Quest® InTrust for Active Directory provides a centralized auditing point allowing you to collect and report on the audit data from Privilege Manager as well as many other data sources you may have in your IT infrastructure.
Figure 13: Audting with InTrust Plug-in
InTrust for Active Directory auditing capabilities allow you to collect and report on the audit data from your Privilege Manager Security system. Featuring a fully automated workflow, InTrust for Active Directory helps you:
- Gather the Privilege Manager event logs from the policy servers running on several different platforms
- Consolidate, store, and analyse the gathered data
- Create reports on various aspects of your Privilege Manager security system operation
InTrust for Active Directory provides reports on the following Privilege Manager System areas:
- All events
- Elevated privilege events
- All events grouped result
- Out of band events
- Rejected events
InTrust Plug-in Requirements
InTrust for Active Directory supports Privilege Manager version 5.5 and above.
You can collect data from Privilege Manager hosts running on any of the UNIX® platforms supported by InTrust.
|
|
NOTE: To use the MSI installer for the InTrust Reporting Pack, your InTrust Server must use the Windows® SQL Server® 2005 as its back-end database. |