Audit Activity Using BeyondInsight for Unix & Linux

From the Audit page, you can access:

  • Unified Search: Search for Privilege Management for Unix and Linux, Active Directory Bridge, and BeyondInsight for Unix & Linux events
  • PMUL Events: View and download Privilege Management for Unix and Linux event logs
  • Console Audit: View activity within the Privilege Management for Unix and Linux console
  • Session Replay: View, replay, and audit Privilege Management for Unix and Linux session replays
  • As of Privilege Management for Unix and Linux 10.3, event log information is retrieved from databases. Previous versions of Privilege Management for Unix and Linux support log files.
  • A minimum version of Privilege Management for Unix and Linux 10.0 is required to view log contents. In earlier versions, the log must be downloaded to view.

Perform a Unified Search

The unified search gathers log files from Privilege Management for Unix and Linux, Active Directory Bridge (AD Bridge), and BeyondInsight for Unix & Linux. You can then search from a single line for Privilege Management for Unix and Linux, AD Bridge, and BeyondInsight for Unix & Linux events, simultaneously.

 

Currently, Elasticsearch is the only supported SIEM. This section will only be available if there is a configured and working connection to Elasticsearch.

To perform a search:

  1. From the sidebar menu, select Audit > Unified Search.
  2. Enter a search query to display the list of events. Search options include:
    • Fuzzy / partials matches: Default. Searching for tree, for example, returns results with tree and pinetree.
    • Exact matches: Use double quotes. Searching for “sudo”, for example, and results only contain sudo.
    • Logical AND: Results must have both values, as in sudo AND emacs.
    • Logical OR: Results may contain either value, as in sudo OR emacs.
    • Logical NOT: Results will exclude value, as in sudo NOT visudo.
    • Operator precedence: Using brackets, as in (sudo AND emacs) or (sudo AND vi).
    • Date and time options: Use these to set ranges, including some defaults, and the ability to set begin and end times.

When writing your query, you do not need to capitalize the logical operators (and, or, not).

  1. Click Search.

You can also just click Search, without entering any criteria. Unified search has default criteria that return all available events.

BIUL Event Search and Details panel

  1. To view the results, click the Privilege Management for Unix and Linux, AD Bridge, or BeyondInsight for Unix & Linux button. Click to toggle a selection on or off. The result count appears at the bottom right of the grid (as number of items). At the bottom of the grid, you can also find the page count, along with the page navigation icons.
  2. For full event details, click on a row. The Event Details panel displays on the right.

Events that are associated with IO Logs provide links to the Session Replay player. To play the file, in the Events Details panel, click the Session Replay button. Optionally, you can enter a Comment and set the Audit Status, and then click Save.

For more information, see Replay Sessions in BeyondInsight for Unix & Linux.

Select Which Columns to View

You can select which columns to view in the grid. To select which columns to view, at the right of the grid, click the Columns icon, and then check the boxes for the columns you want to appear in the grid.

Download the Results Data

You can download the results data as a JSON or CSV file. To download a results file:

  1. After you perform a search, click the Privilege Management for Unix and Linux, AD Bridge, or BeyondInsight for Unix & Linux results button. Click to toggle a selection on or off.
  2. At the right, click the Download icon, and then select JSON File or CSV File. The file downloads to your Download folder.

View PMUL Events

  1. From the sidebar menu, select Audit > PMUL Events.
  2. Find the host name in the list. Use the Hostname, IP Address, and Tags filters to refine the list of results displayed.
  3. At the far right of the server entry row, click the arrow.
  4. On the Event Log page, click the Event Source dropdown menu and select the log you want to view.
  5. For full event details, click on a row. The Event Details panel is displayed on the right. Use the Filter event keys field to refine the list of results displayed.
  6. To close the Event Details panel, click the X icon.

View Console Audit Activities

You can view user session information, such as user name, user ID, timestamp, user roles, and request URL.

  1. From the sidebar menu, select Audit > Console Audit.
  2. On the Console Audit page, use the filters to refine the list of user sessions displayed.
  3. At the far right of the session row, click the arrow.
  4. On the Session Details page, view more information, such as user name, user roles, HTTP method, and URL. Use the filters at the top of the columns to refine the list of results displayed.
  5. For full event details, click on a row. The Request Details panel is displayed on the right.
  6. To close the Request Details panel, click the X icon.