pblog

The pblog program selectively displays entries from an event log. Each time a job is accepted, rejected, or completed, or a keystroke action event occurs, an entry is appended to the event log file. The event log file is specified by the eventlog setting in the settings file or by the eventlog variable in the Privilege Management for Unix and Linux policy file. By default, the eventlog variable is set to /var/log/pb.eventlog, /usr/log/pb.eventlog, /var/adm/pb.eventlog, or /usr/adm/pb.eventlog, depending on the operating system.

With no command line arguments, pblog reads and displays all entries in the default event log file. You can specify a different event log with the -f or --eventlog argument. You can specify a decryption key file with the -k or --keyfile argument.

  • Version 3.5 and earlier: long command options not supported.
  • Version 4.0 and later: long command options supported.
pblog [options]
	-a, --accept_format=expression
	-c, --constraint=expression
	-d, --dump
	-e, --finish_format=expression
	-f, --eventlog=file name
	 --db
	    --ff
	    --odbc
	-i, --keystroke_format=expression
	-k, --keyfilefile_name
	-l, --verbose
    -o, --dbout=file name>
	-O, --odbcout=<dsn>
       -D, --diff
	-p, --all_formats=expression
	-q, --quiet
	-r, --reject_format=expression
	-t, --tail
pblog –X|--xml [options]
	-c, --constraint=<expression>
	-F, --field_list=field_names
	-f, --eventlog=file_name
	-k, --keyfile=file_name
pblog –C|--csv[options]
	-c, --constraint=expression
	-F, --field_list=field_names
	-f, --eventlog=file_name
	-H, --csv_header
	-k, --keyfile=file_name
	-S, --csv_separator
pblog  -J, --json  
	-P, --pretty
pblog –v|--version
pblog --help
-a, --accept_format=expression Optional. Format expression for Accept events.
-c, --constraint=expression Optional if the expression is the last argument on the command line. Constrains entries according to the expression.
-C, --CSV Optional. Produces comma-separated value (CSV) output.
-d, --dump Optional. Dumps entries as they are read.
-e, --finish_format=expression Optional. Format expression for finish events.

-f, --eventlog=file_name

--db

--ff

--odbc

Optional. Alternate event log to report.

Optional. Alternate event log is a database.

Optional. Alternate event log is a flat file.

Optional. Alternate event log is a ODBC DSN.

-F, --field_list=field_names Optional field list to be displayed for CSV and XML output. When specifying multiple field names, enter them as comma-separated values (no spaces).
-H, --csv_header Optional. Produces a field-name header in CSV mode.
-i, --keystroke_format =expression Optional. Format expression for keystroke action events.
-k, --keyfile=file_name

Optional. Name of the encryption key file.

The file_name specified needs to be listed as one of the keyfile in eventlogencryption keyword.

-l, --verbose Optional. Turns on verbose mode. Prints all variables, one per line.
-o, --dbout=file name> Optional. Copy missing records to database.

-O, --odbcout=<dsn>

-D, --diff

Optional. Copy missing records to ODBC.

Optional. Report differences instead of copying.

-p, --all_formats=expression Optional. Print format expression for all events.
-q, --quiet Optional. Turns on quiet mode. Do not report expression errors (for example, undefined variables).
-r, --reject_format=expression

Optional. Format expression for Reject events.

-S, --csv_separator Optional. Field separator for CSV mode (default is comma).
-t, --tail Optional. Tail mode. Loop and report new entries as they occur (forces dump mode).

-J --json

-P --pretty

Optional. Produces output in JSON format.

Optional. Pretty print.

-v, --version Optional. Displays the pblog version and exits.

-X, --xml

Optional. Produces XML-formatted output.
--help Optional. Displays the program help message and exit.

For more information about syntax to specify multiple encryption algorithms and files, please see eventlogencryption.

Accept Dump
sprintf('%s %s %s %s %s@%s -> %s@%s\n\t%s', uniqueid, event,
date, time, user, submithost, runuser, runhost, join(runargv))                        
Reject Dump
sprintf('%s %s %s %s %s@%s\n\t%s', uniqueid, event, date,
	time, user, submithost, join(argv))
End/Finish Dump
sprintf('%s %s %s', uniqueid, event, exitstatus)
	sprintf('%s %s %s %s@%s -> %s@%s\n\t%s\n\t%s', event, date,
Accept
time, user, submithost, runuser, runhost, join(runargv), exitstatus)
Reject
sprintf('%s %s %s %s@%s\n\t%s', event, date, time, user,
						submithost, join(argv))
End/Finish
sprintf('%s %s %s', uniqueid, event, exitstatus)
Keystroke
sprintf('%s %s %s %s %s', event, keystrokestatus,
keystrokedate, keystroketime, keystroke)

Read an Event Log

If pblog is run without the -f <file_name> option, it tries to read the file defined by eventlog in pb.settings if available, or it uses a default pathname.

Starting in v10.3.0, pblog assumes by default that the event log is a SQLite database. If the file you want pblog to read is not a SQLite database, or if the file is different from the one specified by the eventlog setting, the option -f, along with --db, --ff or --odbc should be used.

If eventdestinations setting is commented out in the configuration file or is set to authevt=db and the option -f <file_name> is not provided, pblog uses the filename specified in the eventlog settings but implicitly appends .db to the name when processing it.

Read a SQLite DB event log whose path is specified in the event log setting:
# pblog
Read a specific SQLite DB event log:
# pblog -f /path/to/mypb.eventlog.db --db
Read a specific flat file event log
# pblog -f /path/to/mypb.eventlog.flat --ff
Read an ODBC type event log:
# pblog -f  MyDSN --odbc

In this case, odbc.ini and odbcinidir files located in the directory specified in odbcinidir setting (default /etc/pbul/etc) will be read to get the connection information to the MySQL or Oracle database.

For more information, please see the default values listed in eventlog.

Copy Event Log Records

If multiple targets for authorized events are defined in eventdestinations, or if you want to copy event log records from one event log file to another, the options -o (output to SQLite database) or -O (output to ODBC database) can be used. This only copies the event log records with a uniqueid that does not exist in the destination.

Copy from a flat file to a SQLite database:
# pblog --ff -f /var/log/pb.eventlog.flat -o /var/log/pb.eventlog.db
Copy records from a flat file to the ODBC database:
# pblog --ff -f /var/log/pb.eventlog.flat -O MyDSN

Where MyDSN is the ODBC Data Source Name whose connection information to the MySQL or Oracle database is configured in the odbc.ini/odbcinst.ini files (see odbcinidir setting).

Copy records from a SQLite database to the ODBC database:
# pblog --db -f /var/log/pb.eventlog.db -O MyDSN

Where MyDSN is the ODBC Data Source Name whose connection information to the MySQL or Oracle database is configured in the odbc.ini/odbcinst.ini files.

For more information, please see odbcinidir.

Report Difference Between Event Log Destinations:

If multiple event destinations were used, and you want to report on records that might be in one destination but not another, you can use -o, -O with -D option:

Report differences between event log records in a flat file versus a SQLite database:
# pblog --ff -f /var/log/pb.eventlog.flat -o /var/log/pb.eventlog.db -D
uniqueid,etype,epoch
ac1420215df2ac3604C5,Reject,2020/02/20 13:08:06
ac1420215df2ac3604C7,Accept,2020/02/20 13:08:06
ac1420215df2ac3604C7,Finish,2020/02/20 13:08:54
ac1420215df2ac3704C9,Accept,2020/02/20 13:08:07
ac1420215df2ac3704C9,Finish,2020/02/20 13:08:55
Report differences between event log records in a flat file versus a MySQL database:
# pblog --ff -f /var/log/pb.eventlog.flat -O MyDSN -D
uniqueid,etype,epoch
ac1420215df2ac3604C5,Reject,2020/02/20 13:08:06
ac1420215df2ac3604C7,Accept,2020/02/20 13:08:06
ac1420215df2ac3604C7,Finish,2020/02/20 13:08:54
ac1420215df2ac3704C9,Accept,2020/02/20 13:08:07
ac1420215df2ac3704C9,Finish,2020/02/20 13:08:55	
Report differences between event log records in a SQLite database versus an Oracle database:
# pblog --db -f /var/log/pb.eventlog.db -O oracle -D
uniqueid,etype,epoch
ac1420215df2ac6d04EC,Reject,2020/02/20 13:09:01
ac1420215df2ac6d04EE,Accept,2020/02/20 13:09:01
ac1420215df2ac6d04EE,Finish,2020/02/20 13:09:49
ac1420215df2ac6d04F1,Accept,2020/02/20 13:09:01
ac1420215df2ac6d04F1,Finish,2020/02/20 13:09:49		

Starting with v10.3.0, the option -J has been added to display the event log records in JSON format. Combine with -P to enhance readability.

# pblog --db -f /var/log/pb.eventlog.db -J -P

For more information, please see pbmasterd.