Solr Indexing and Search

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.

There are separate tar files for Solr installation. Each log server and policy server host is able to communicate with a Solr server and submit I/O log output data for indexing. BeyondInsight and BIUL (BeyondInsight for Unix & Linux) provide a search GUI, allowing users to search indexed I/O logs using a selected set of variables, but also allowing to search the content of I/O log sessions using queries such as this AND that AND NOT other OR somethingelse.

For each I/O log file, the result of pbreplay -O output of the I/O log file is sent to Solr to be indexed. Some of the event log variables in the header of the I/O log are indexed as well. These variables are:

  • user
  • runuser
  • runhost
  • runcommand
  • runargv

The name of the I/O log file name is also indexed, as well as the start and end time of the I/O log session.

You can add user-defined eventlog variables (defined in the policy) to the list of variables to be indexed by setting Solrvariables in pb.settings to the list of user variables defined in the policy. These variables must be named <var>_pbul.

The result displayed contains a path to the actual I/O log file, which can then be replayed using Endpoint Privilege Management for Unix and Linux GUI (this requires Endpoint Privilege Management GUI to be installed on the log server and policy server hosts where the I/O log files reside).

If I/O log indexing with Solr is enabled, the Solr index is updated when I/O logs get archived.

If a problem occurs while trying to contact the Solr server (broken connection, miscellaneous errors, etc.), an appropriate error is logged in the diagnostics log file, and the unsent I/O log file name is saved to be forwarded to the Solr server at a later time.

Endpoint Privilege Management periodically checks to see if there are events that are outstanding, and are older than the autofwdtime setting. If conditions are met, it launches the pbreplay admin binary to forward the I/O log data to the Solr server for indexing. The path where pbreplay resides is specified by the setting keyword pbadminpath.

Starting with Endpoint Privilege Management for Unix and Linux v10.0.0, a queue mechanism is used to process I/O logs for Solr, while limiting the number of indexing processes. This mechanism is shared by the feature I/O Log Close action.

For more information, see the following: