I/O Log Close Action

The new Endpoint Privilege Management policy procedure iolocloseaction allows the policy to specify a program that is executed for each completed iolog.

This mechanism allows the I/O log to be processed in some way determined by the specified program. For example, Endpoint Privilege Management includes a perl script that sends ACA data from the I/O log to Splunk.

The iologcloseaction mechanism and the Solr indexing mechanism share a queue that allows pbconfigd to control and monitor pbreplay processes, which in turn perform the Solr indexing and iologcloseaction actions. This mechanism uses a combination of fast write to queue files, and a database. Each I/O logging process writes the iolog path and filename to the queue, as well as periodic heartbeat information to inform the queue mechanism that the I/O log is still being generated. When an iolog is closed (normally), that information is written to the queue as well. pbconfig runs a scheduled task that transfers data from the IO Log Action queue to both SOLR and any specified IO Log Close Action scripts and once they have been successfully processed the entry is deleted. The scheduler automatically tries to resend any outstanding entries if the SOLR service is down or unavailable.

Both Solr indexing and iologcloseaction are ultimately processed by pbreplay. pbconfigd runs a scheduled task that monitors the pbreplay processes handling Solr indexing and/or iologcloseaction. The number of allowed pbreplay processes is configured with the iologactionmaxprocs keyword. pbreplay processes are launched as needed to process the database queue. The iologactionretry keyword controls the number of retries to acquire a database lock for the internal database queue operations.

For more information, see the Endpoint Privilege Management for Unix and Linux Policy Language Guide.