Log Archiving

Beginning with v9.0, Endpoint Privilege Management for Unix and Linux provides a logfile tracking and archiving mechanism for I/O logs and event logs. Each log file created can have its location recorded in a centralized database for future searches. Log files can be archived from the original logserver hosts, for the purpose of freeing up space on the log servers or for consolidating logs on designated archive hosts.

The log archiving process is performed by hosts that are installed and configured with the server components. Those components mandatorily install the Endpoint Privilege Management REST service which is essential in log file movement and tracking.

The hosts involved in log archiving are categorized as:

Log Server

The host where the event log or I/O log is created either by pblogd or pbmasterd.

The pblogarchive program found on this host initiates the log file movement. After a successful archive, the log file exists on the destination Log Archive Storage Server and is removed from this host.

The settings file on this machine requires enablelogtrackingdb, logarchivehost, and logarchivedbhost.

For more information, see the following:

Log Archive Storage Server

The destination host of the archived logfiles.

The settings file on this machine requires logarchivedir, the main directory under which the archived logfiles are organized.

To support multi-tier archiving, this host can also function as a log server, transferring files to another archive server. In such case, the required settings mentioned above are needed as well.

For more information, see Settings.

Log Archive Database Server

The host where the centralized log tracking database is created and maintained.

The settings file on this machine requires logarchivedb, which is the path name of the SQLite database file.

We recommend you do not designate a primary log server/policy server as the database server to avoid degrading log host performance. Plan for growth of the database file, depending on the volume of log files that get created.

Regardless of function, all hosts involved in log archiving are required to have pbrestport configured in the settings file. Optionally, pbresturi may also be used.

For more information, see Settings.

Archive Encrypted Log Files

The log archiving feature supports encrypted logfiles.

 

The log server sending files to be archived and the Log Archive Storage Server receiving the archived logs must use the same encryption algorithm and key.

For event logs, eventlogencryption setting must be the same on the source and the destination. For I/O logs, the iologencryption setting must be the same on the source and the destination. Otherwise, the log file transfer could fail.

Archive by Age

Archiving by age may be achieved by configuring cron to invoke the pblogarchive program.