Chat now with support
Chat with Support

Safeguard for Sudo 6.1 Common Documents - Administration Guide

One Identity Privileged Access Suite for Unix Introducing Privilege Manager for Sudo Planning Deployment Installation and Configuration Upgrade Privilege Manager for Sudo System Administration Managing Security Policy Administering Log and Keystroke Files Troubleshooting Privilege Manager Variables Privilege Manager programs Installation Packages Unsupported Sudo Options Privilege Manager for Sudo Policy Evaluation

Event logging

Event logs are enabled by default for all requests sent to the Privilege Manager Policy Servers. The default location of the event log file is /var/opt/quest/qpm4u/pmevents.db.

Keystroke (I/O) logging

Once your 30-day trial license has expired, One Identity requests that you obtain a Keystroke Logging license to remain in compliance. See Privilege Manager licensing for details.

You can enable keystroke logging using the log_input and log_output default parameters.

NOTE: Enabling log_input and log_output enables keystroke logging.

For example, to enable keystroke logging for all requests, specify:

Defaults log_input, log_output

To specify keystroke logging of output just for the root user, specify:

Defaults:root log_output

You can also override default settings by using the LOG_INPUT, LOG_OUTPUT, NOLOG_INPUT, NOLOG_OUTPUT tags in a user specification entry. For example, to suppress keystroke logging for the ls command, enter:


The location of the keystroke log file is determined by the iolog_dir and iolog_file default specifications.

The defaults are:

Defaults iolog_dir = "/var/opt/quest/qpm4u/iolog"
Defaults iolog_file = "%{user}/%{runas_user}/%{command}_%Y%m%d_%H%M_XXXXXX"

See the Sudoers man page for an explanation of the supported percent (%) escape sequences.

NOTE: The trailing “XXXXXX” characters at the end of iolog_file are required; without them, no I/O log will be generated. These X’s are replaced with a unique combination of digits and letters, similar to the mktemp() function.

Viewing the log files using a web browser

If you are running Privilege Manager, you can view events using Management Console for Unix, which provides an intuitive web-based console for managing UNIX hosts.

Refer to the One Identity Management Console for Unix Administration Guide for details about using the mangement console.

Viewing the log files using command line tools

If you are not running Privilege Manager with Management Console for Unix, or if you prefer to use command line tools, you can list events and replay log files directly from the primary policy server using the pmlogsearch, pmreplay, and pmremlog commands.


pmlogsearch is a simple search utility based on common criteria. Run pmlogsearch on the primary server to query the logs on all servers in the policy group. pmlogsearch provides a summary report on events and keystroke logs matching at least one criteria. pmlog provides a more detailed report on events than pmlogsearch.

NOTE: Hostnames may appear in the event logs and keystroke log files in either fully qualified format ( or in short name format (myhost), depending on how hostnames are resolved and the use of the short name setting in the pm.settings file. To ensure that either format is matched, use the short host name format with an asterisk wildcard (myhost*) when specifying a hostname search criteria.

See pmlogsearch for more information about the syntax and usage of the pmlogsearch command.

pmlogsearch performs a search across all policy servers in the policy group and returns a list of events (and associated keystroke log file names) for requests matching the specified criteria. You specify search criteria using the following options (you must specify at least one search option):

Table 8: Search criteria options
Command Description
--after "YYYY/MM/DD hh:mm:ss" Search for sessions initiated after the specified date and time.
--before "YYYY/MM/DD hh:mm:ss" Search for sessions initiated before the specified date and time.
--host hostname Search for sessions that run on the specified host.
--result accept|reject Return only events with the indicated result.
--text keyword Search for sessions containing the specified text.
--user username Search for sessions by the specified requesting user.

The following pmlogsearch options support the use of wildcards, such as * and ?:

  • –-host
  • –-user

To match one or more characters, you can use wild card characters (such as ? and *) with the --host, --text, and --user options; but you must enclose arguments with wild cards in quotes to prevent the shell from interpreting the wild cards.

If there is a keystroke log associated with the event, it displays the log host and pathname along with the rest of the event information.

The following example lists two events with keystroke (IO) logs:

# pmlogsearch --user sally 
Search matches 2 events 
2013/03/16 10:40:02 : Accept : 
   Request: : id 
   Executed: : id 
   IO Log: 
2013/03/16 09:56:22 : Accept : 
   Request: : id 
   Executed: : id 
   IO Log:

You can use the pmreplay command to replay a keystroke log file if it resides on the local policy server.

To replay the log, run:

# pmreplay <path_to_keystroke_log>

For example, the following command replays the first ls –l /etc log from the previous example:

# pmreplay /opt/quest/qpm4u/iologs/demo/sally/id_20120316_1040_ESpL6L

If the keystroke log resides on a remote policy server, you can use the pmremlog command with the –h <remote_host> and –p pmreplay options to remotely replay a keystroke log file. You specify the path argument to the remote pmreplay after the -- flag.

For example, enter the following command all on one line:

# pmremlog -h qpmsrv2 -p pmreplay -- /opt/quest/qpm4u/iologs/demo/sally/id_20120316_0956_mrVu4I

NOTE: Host names may appear in the event logs and keystroke log files in either fully qualified format ( or in short-name format (myhost), depending on how host names are resolved and the use of the shortnames setting in the pm.settings file. To ensure that either format is matched, when you specify a host name search criteria, use the short-host name format with an asterisk wild card (For example, myhost*).

Related Documents