Endpoint Privilege Management for Unix and Linux and BeyondInsight Console
As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.
As of version 22.3, integration with BeyondInsight is deprecated.
Starting with v7.5, Endpoint Privilege Management for Unix and Linux can be integrated with BeyondInsight. This integration with BeyondInsight has the following benefits.
Event Log Central Collection
BeyondInsight features a database-centric reporting architecture that enables event collection from multiple devices as well as the ability to report about this data from a central location.
Endpoint Privilege Management for Unix and Linux uses a message router architecture to store its events (Accept events, Reject events, Keystroke Action events, and Finish events) in a database, defined by integratedproductsqueuedb, and uses a scheduler to periodically forward these event log records to BeyondInsight Web services. Using BeyondInsight, you can then sort and filter this data into useful reports. BeyondInsight also uses these events to display the list of Endpoint Privilege Management for Unix and Linux servers in the BeyondInsight Assets.
I/O log Indexing for Improved Search Capabilities
This integration allows BeyondInsight to search for I/O logs via an indexed search. Endpoint Privilege Management for Unix and Linux uses Solr (with Lucene and Jetty) to index I/O log output data and BeyondInsight performs Solr queries and interprets/displays the results, allowing the user to replay the resulting I/O logs via pbguid.
Integration Process
When installing or upgrading, you can enable BeyondInsight Integration and provide values to the necessary keywords to enable these features.
To enable Endpoint Privilege Management for Unix and Linux v7.5 (and later) to send the event log records to BeyondInsight, perform the following actions.
- Copy and convert the BeyondInsight client certificate from BeyondInsight to the policy server and log server hosts.
- Start the BeyondInsight Configuration Tool on the BeyondInsight management console server. Click Generate Certificate Zip in the BeyondInsight Configuration Tool.
- Select the output folder for the ZIP file and a password to apply to the exported .pfx file.
- Select a folder where you can securely copy the certificates.zip file and uncompress it.
- Copy the following files to a secure directory on the Endpoint Privilege Management policy server and log server hosts:
- eEyeEMSClient.pem
- <host>_eEye_EMS_CA.pem
- In the Endpoint Privilege Management servers and log server settings file, assign the keyword sslrcscertfile to the location of eEyeEMSClient.pem:
sslrcscertfile /<secure_directory>/eEyeEMSClient.pem
- Assign the keyword sslrcscafile to the location of the file <host>_eEye_EMS_CA.pem:
sslrcscafile /<secure_directory>/<host>_eEye_EMS_CA.pem
- Start the BeyondInsight Configuration Tool on the BeyondInsight management console server. Click Generate Certificate Zip in the BeyondInsight Configuration Tool.
- Select the output folder for the ZIP file and a password to apply to the exported .pfx file.
- Select a folder where you can securely copy the certificates.zip file and uncompress it.
- Copy the following files to a secure directory on the Endpoint Privilege Management policy server and log server hosts:
- eEyeEMSClient.pem
- <host>_eEye_EMS_CA.pem
- In the Endpoint Privilege Management servers and log server settings file, assign the keyword sslrcscertfile to the location of eEyeEMSClient.pem:
sslrcscertfile /<secure_directory>/eEyeEMSClient.pem
- Assign the keyword sslrcscafile to the location of the file <host>_eEye_EMS_CA.pem:
sslrcscafile /<secure_directory>/<host>_eEye_EMS_CA.pem
In the Endpoint Privilege Management settings file, assign the keyword rcshost to the BeyondInsight hostname exactly how it appears in this certificate.
- If you have not done so during the installation, set the following keywords in pb.settings on the policy server and log server hosts:
- rcshost
- rcswebsvcport
- sslrcscertfile
- sslrcscafile
To enable Endpoint Privilege Management for Unix and Linux v7.5 and above to index I/O log files:
- Install Solr on a server of your choice.
- Copy SSL certs from the Solr server to policy server and log server hosts.
- On the Solr server, securely copy the PEM encoded files (*.pem) from the etc directory under Solr install directory (for example /opt/pbul-Solr/etc) directory to the directories pointed by Solrcafile, Solrclientkeyfile , and Solrclientcertfile on the desired log server and policy server hosts.
- If you have not done so during the installation, set the following keywords in pb.settings on the policy server and log server hosts:
- pbreplaylog
- Solrhost
- Solrport
- Solrcafile
- Solrclientkeyfile
- Solrclientcertfile
- integratedproductsqueuedb
- Other keywords to set (common to both event log collection and I/O log indexing):
- pbadminpath
- guiport
- sguiport
- sharedlibkrb5dependencies
- sharedlibssldependencies
- sharedlibldapdependencies
- sharedlibcurldependencies
For more information, see the following:
- BeyondInsight documentation
- For more information about the pb.settings keywords:
- For installing Solr, Solr Installation in the Endpoint Privilege Management for Unix and Linux Installation Guide
- For the names of the PEM encoded files to copy when enabling Endpoint Privilege Management for Unix and Linux to index IO log files, the Post-install section of Solr Installation in the Endpoint Privilege Management for Unix and Linux Installation Guide.
