Event Logs
Get Event Destinations
Retrieve a list of the current Event Log destinations. This details only the current settings and includes all the current options. A "null" or "false" attribute is taken as disabled.
GET https://<host>:24351/REST/v2.0/events/destinations?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events/destinations
Response {"destinations": {"db": "/var/log/pb.eventlog.db", "ff": "/tmp/pb.eventlog", "prog": null, "odbc": "MySQL", "syslog": false } }
Event Log Get
Retrieves the specified event log.
GET https://<host>:24351/REST/v2.0/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events
Response {"events": [ { "recnum": 2, "uniqueid": "c0a8108a5d0cce5b7239", "etype": "A", "epoch":"2019-06-21 18:03:52", "submituser": "root", "submithost": "pbuild", "runuser": "root", "runhost": "pbuild", "runcommand": "id", "exitstatus": null } ] }
Filtered/Paged Events
Retrieve events from the data source, providing paging and filter attributes. This will work slowly on flat-file event files as each event is searched from the first to the limit (or end) sequentially. However, it should be instantaneous on database and ODBC sources.
from | Match events after/from <date> (in time_t epoch or YYYY/MM/DD or full "YYYY/MM/DD HH:MM:SS" format) |
to | Match events before/to <date> (in time_t epoch or YYYY/MM/DD or full "YYYY/MM/DD HH:MM:SS" format) |
start |
When eventlog is a database (db, odbc), it is the start recnum record. The recnum is returned by previous calls or can be any known value. For a flatfile eventlog, this filter returns the events after ‘start’ number of events. |
end | The end recnum record. The recnum is returned by previous calls or can be any known value. |
offset |
When the eventlog is a database, the filter offset retrieves the events after ‘offset’ number of events. When the eventlog is a flat file, offset is the position in the file and should be the end of an event. Offsets for a flatfile can be known from previous calls. It is optional, but greatly speeds up retrieval, if provided. |
verbose=0|1 | By default, only the common attributes are returned. However, if verbose is set (verbose=1) the complete event is returned. Default=0 |
limit | Limit on records returned. The default is set to 32768, or 512 if verbose is set, to stop massive data results being returned by default. |
order |
Attribute to retrieve the data in. For example, epoch to get records in date order, or recnum to retrieve in logged order. Applicable only when eventlog is a database. |
orderdirection=asc|desc |
Attribute specifying "asc" or "desc" ordering. Applicable only when eventlog is a database. |
dump=0|1 |
When set (dump=1), retrieves accept and finish events separately. Default value: dump=0 Filter available from EPM-UL version 21.1 |
uniqueid,
etype, runhost, submithost, runuser, submituser, runcommand, exitstatus |
etype=[A|R|K] for ‘A’ccept, ‘R’eject and ‘K’eystroke events respectively. [runhost|submithost|runuser|submituser|runcommand|exitstatus] = <value> These are the wildcard matched attributes to filter the events based on a value specified. Example: pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events etype=[A|R|K] runhost|submithost|runuser|submituser|runcommand|exitstatus]=<value> Finish events can be retrieved only when dump=1 pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events etype=F dump=1 runhost|submithost|runuser|submituser|runcommand|exitstatus]=<value> |
recnum is returned for every retrieved record and can be used as the next start. Flat-file searching also returns offset which can be used in next requests.
To fetch events in batches, use offset attribute for database type eventlog and use start attribute for a flatfile.
If you know the file offset of previous record for a flatfile eventlog, you can mention offset=<fileoffset> to get next set of events in flatfile type of eventlog, otherwise use start=<count of events> to fetch the events in batches. File offset for a flatfile eventlog can be known from previous REST calls.
Example:
In an eventlog database, to fetch the 3rd batch of events with a batchsize of 100, use the API as below.
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events offset=200 limit=100
In a flatfile eventlog, to fetch the 3rd batch of events with the batch size of 100, use the API as below.
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events start=200 limit=100
Following is the syntax of a REST call with all the attributes and filters,
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events order=<field> orderdirection=[asc|desc] limit=<number_of_rows> start=<start_recnum> end=<end_recnum> offset=<offset> from=<from_date> to=<to_date> verbose=[1|0] dump=[1|0] etype=[A|R|K|F] [runhost|submithost|runuser|submituser|runcommand|exitstatus]=<*>
Other attributes include format, file and dsn. Following section describes more about them.
List Events by Eventdestination
For SQLite DB
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=db
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=db
or nothing since that is the default.
To retrieve events from a specific SQLite database file,
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=db&file=<file>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=db file=<file>
For ODBC
You must set the DSN.
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=odbc&dsn=<DSN>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=odbc dsn=<DSN>
For Flat File
You must set the file name.
GET https://<host>:24351/REST/v2/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>&format=ff&file=<file>
pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=ff file=<file>
You can also use an old version of API with limited filters for a flat file.
GET https://pbuild:24351/REST/events?appid=<appid>×tamp=<timestamp>&hmac=<hmac>
RESPONSE {"time":0,"events":[{"runuser":"root","id":"c0a8108a52775f9781521","time":"08:49:27","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["typeset","x","SHELL","PATH","HOME"],"runhost":"pbuild","date":"2013/11/04","user":"root","exitstatus":"local shellbuiltin","runargv":["typeset","-x","SHELL","PATH","HOME"]},{"runuser":"root","id":"c0a8108a528ce1a0462F","time":"16:21:52","masterhost":"pbuild","submithost":"pbuild","event":"Reject","argv":["bash"],"runhost":"pbuild","date":"2013/11/20","user":"root","exitstatus":"","runargv":["bash"]},{"runuser":"root","id":"c0a8108a5285f5d350FE","time":"10:22:11","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["pbguid","policy"],"runhost":"pbuild","date":"2013/11/15","user":"root","exitstatus":"Authorized","runargv":["pbguid","policy"]},{"runuser":"ctaylor","id":"c0a8108a528ce3414793","time":"16:28:49","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["CSV","ctaylor","udev","bash#csh"],"runhost":"192.168.16.138","date":"2013/11/20","user":"ctaylor","exitstatus":"Command finished with exit status 0","runargv":["echo",""]}, ...
To enable the filtering of events, parameters can be passed to this REST endpoint.
accept=0|1 | (default=1) Return Accept events |
reject=0|1 | (default=1) Return Reject events |
keystroke=0|1 | (default=1) Return events that resulted in an IO Log |
These three filters are combined logically "OR" and should all be specified to limit the return of events.