pblog
The pblog program selectively displays entries from an event log. Each time a job is accepted, rejected, or completed, or a keystroke action event occurs, an entry is appended to the event log file. The event log file is specified by the “authevt=” label in eventdestinations setting or the eventlog setting in the settings file, or by the eventlog variable in the EPM-UL policy file. By default, the eventlog variable is set to /var/log/pb.eventlog, /usr/log/pb.eventlog, /var/adm/pb.eventlog, or /usr/adm/pb.eventlog, depending on the operating system.
With no command line arguments, pblog reads and displays all entries in the default event log file. You can specify a different event log with the -f or --eventlog argument. You can specify a decryption key file with the -k or --keyfile argument.
Syntax
- Version 3.5 and earlier: long command options not supported.
- Version 4.0 and later: long command options supported.
pblog [options]
-a, --accept_format=expression
-c, --constraint=expression
-d, --dump
-e, --finish_format=expression
-f, --eventlog=file name
--db
--ff
--odbc
-i, --keystroke_format=expression
-k, --keyfilefile_name
-l, --verbose
-o, --dbout=file name>
-O, --odbcout=<dsn>
-D, --diff
-p, --all_formats=expression
-q, --quiet
-r, --reject_format=expression
-t, --tail
pblog –X|--xml [options]
-c, --constraint=<expression>
-F, --field_list=field_names
-f, --eventlog=file_name
-k, --keyfile=file_name
pblog –C|--csv[options]
-c, --constraint=expression
-F, --field_list=field_names
-f, --eventlog=file_name
-H, --csv_header
-k, --keyfile=file_name
-S, --csv_separator
pblog -J, --json
-P, --pretty
pblog –v|--version
pblog --help
Arguments
| -a, --accept_format=expression | Optional. Format expression for Accept events. |
| -c, --constraint=expression | Optional if the expression is the last argument on the command line. Constrains entries according to the expression. |
| -C, --CSV | Optional. Produces comma-separated value (CSV) output. |
| -d, --dump | Optional. Dumps entries as they are read. |
| -e, --finish_format=expression | Optional. Format expression for finish events. |
|
-f, --eventlog=file_name --db --ff --odbc |
Optional. Alternate event log to report. Optional. Alternate event log is a database. Optional. Alternate event log is a flat file. Optional. Alternate event log is a ODBC DSN. |
| -F, --field_list=field_names | Optional field list to be displayed for CSV and XML output. When specifying multiple field names, enter them as comma-separated values (no spaces). |
| -H, --csv_header | Optional. Produces a field-name header in CSV mode. |
| -i, --keystroke_format =expression | Optional. Format expression for keystroke action events. |
| -k, --keyfile=file_name |
Optional. Name of the encryption key file. The file_name specified needs to be listed as one of the keyfile in eventlogencryption keyword. |
| -l, --verbose | Optional. Turns on verbose mode. Prints all variables, one per line. |
| -o, --dbout=file name> | Optional. Copy missing records to database. |
|
-O, --odbcout=<dsn> -D, --diff |
Optional. Copy missing records to ODBC. Optional. Report differences instead of copying. |
| -p, --all_formats=expression | Optional. Print format expression for all events. |
| -q, --quiet | Optional. Turns on quiet mode. Do not report expression errors (for example, undefined variables). |
| -r, --reject_format=expression |
Optional. Format expression for Reject events. |
| -S, --csv_separator | Optional. Field separator for CSV mode (default is comma). |
| -t, --tail | Optional. Tail mode. Loop and report new entries as they occur (forces dump mode). |
|
-J --json -P --pretty |
Optional. Produces output in JSON format. Optional. Pretty print. |
| -v, --version | Optional. Displays the pblog version and exits. |
|
-X, --xml |
Optional. Produces XML-formatted output. |
| --help | Optional. Displays the program help message and exit. |
For more information about syntax to specify multiple encryption algorithms and files, see eventlogencryption.
Default Output Expressions
| Accept Dump | sprintf('%s %s %s %s %s@%s -> %s@%s\n\t%s', uniqueid, event,
date, time, user, submithost, runuser, runhost, join(runargv))
|
| Reject Dump | sprintf('%s %s %s %s %s@%s\n\t%s', uniqueid, event, date,
time, user, submithost, join(argv))
|
| End/Finish Dump | sprintf('%s %s %s', uniqueid, event, exitstatus)
|
| Accept | sprintf('%s %s %s %s@%s -> %s@%s\n\t%s\n\t%s', event, date, time, user, submithost, runuser, runhost, join(runargv), exitstatus)
|
| Reject | sprintf('%s %s %s %s@%s\n\t%s', event, date, time, user,
submithost, join(argv))
|
| End/Finish | sprintf('%s %s %s', uniqueid, event, exitstatus)
|
| Keystroke | sprintf('%s %s %s %s %s', event, keystrokestatus,
keystrokedate, keystroketime, keystroke)
|
Read an Event Log
#eventdestinations eventlog /var/log/pb.eventlog
pblog with no arguments reads the flat file event log specified in the eventlog setting:
# pblog
eventdestinations authevt=db eventlog /var/log/pb.eventlog.db
pblog with no arguments reads the SQLite DB event log specified in the eventlog setting:
# pblog
# pblog
# pblog -f /path/to/mypb.eventlog.db --db
# pblog -f /path/to/mypb.eventlog.flat --ff
# pblog -f MyDSN --odbc
In this case, odbc.ini and odbcinidir files located in the directory specified in odbcinidir setting (default /etc/pbul/etc) will be read to get the connection information to the MySQL or Oracle database.
For more information, see the default values listed in eventlog.
Copy Event Log Records
If multiple targets for authorized events are defined in eventdestinations, or if you want to copy event log records from one event log file to another, the options -o (output to SQLite database) or -O (output to ODBC database) can be used. This only copies the event log records with a uniqueid that does not exist in the destination.
# pblog --ff -f /var/log/pb.eventlog.flat -o /var/log/pb.eventlog.db
# pblog --ff -f /var/log/pb.eventlog.flat -O MyDSN
Where MyDSN is the ODBC Data Source Name whose connection information to the MySQL or Oracle database is configured in the odbc.ini/odbcinst.ini files (see odbcinidir setting).
# pblog --db -f /var/log/pb.eventlog.db -O MyDSN
Where MyDSN is the ODBC Data Source Name whose connection information to the MySQL or Oracle database is configured in the odbc.ini/odbcinst.ini files.
For more information, see odbcinidir.
Report Difference Between Event Log Destinations:
If multiple event destinations were used, and you want to report on records that might be in one destination but not another, you can use -o, -O with -D option:
# pblog --ff -f /var/log/pb.eventlog.flat -o /var/log/pb.eventlog.db -D uniqueid,etype,epoch ac1420215df2ac3604C5,Reject,2020/02/20 13:08:06 ac1420215df2ac3604C7,Accept,2020/02/20 13:08:06 ac1420215df2ac3604C7,Finish,2020/02/20 13:08:54 ac1420215df2ac3704C9,Accept,2020/02/20 13:08:07 ac1420215df2ac3704C9,Finish,2020/02/20 13:08:55
# pblog --ff -f /var/log/pb.eventlog.flat -O MyDSN -D uniqueid,etype,epoch ac1420215df2ac3604C5,Reject,2020/02/20 13:08:06 ac1420215df2ac3604C7,Accept,2020/02/20 13:08:06 ac1420215df2ac3604C7,Finish,2020/02/20 13:08:54 ac1420215df2ac3704C9,Accept,2020/02/20 13:08:07 ac1420215df2ac3704C9,Finish,2020/02/20 13:08:55
# pblog --db -f /var/log/pb.eventlog.db -O oracle -D uniqueid,etype,epoch ac1420215df2ac6d04EC,Reject,2020/02/20 13:09:01 ac1420215df2ac6d04EE,Accept,2020/02/20 13:09:01 ac1420215df2ac6d04EE,Finish,2020/02/20 13:09:49 ac1420215df2ac6d04F1,Accept,2020/02/20 13:09:01 ac1420215df2ac6d04F1,Finish,2020/02/20 13:09:49
Dumping Records in JSON Format
# pblog --db -f /var/log/pb.eventlog.db -J -P
For more information, see pbmasterd.
