Event Logs: Endpoint Privilege Management for Unix and Linux

Event Logs

Get Event Destinations

Retrieve a list of the current Event Log destinations. This details only the current settings and includes all the current options. A "null" or "false" attribute is taken as disabled.

GET https://<host>:24351/REST/v2.0/events/destinations?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events/destinations

Response 
   {"destinations": 
   {"db": "/var/log/pb.eventlog.db",
    "ff": "/tmp/pb.eventlog",
    "prog": null,
    "odbc": "MySQL",
    "syslog": false
     }
}

Event Log Get

Retrieves the specified event log.

GET https://<host>:24351/REST/v2.0/events?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events

Response 
  {"events": [
        {
        "recnum": 2,  
        "uniqueid": "c0a8108a5d0cce5b7239",
        "etype": "A",
        "epoch":"2019-06-21 18:03:52",
        "submituser": "root",
        "submithost": "pbuild",
        "runuser": "root",
        "runhost": "pbuild",
        "runcommand": "id",
        "exitstatus": null
         }
     ]
}

Filtered/Paged Events

Retrieve events from the data source, providing paging and filter attributes. This will work slowly on flat-file event files as each event is searched from the first to the limit (or end) sequentially. However, it should be instantaneous on database and ODBC sources.

from	Match events after/from <date> (in time_t epoch or YYYY/MM/DD or full "YYYY/MM/DD HH:MM:SS" format)
to	Match events before/to <date> (in time_t epoch or YYYY/MM/DD or full "YYYY/MM/DD HH:MM:SS" format)
start	When eventlog is a database (db, odbc), it is the start recnum record. The recnum is returned by previous calls or can be any known value. For a flatfile eventlog, this filter returns the events after ‘start’ number of events.
end	The end recnum record. The recnum is returned by previous calls or can be any known value.
offset	When the eventlog is a database, the filter offset retrieves the events after ‘offset’ number of events. When the eventlog is a flat file, offset is the position in the file and should be the end of an event. Offsets for a flatfile can be known from previous calls. It is optional, but greatly speeds up retrieval, if provided.
verbose=0\|1	By default, only the common attributes are returned. However, if verbose is set (verbose=1) the complete event is returned. Default=0
limit	Limit on records returned. The default is set to 32768, or 512 if verbose is set, to stop massive data results being returned by default.
order	Attribute to retrieve the data in. For example, epoch to get records in date order, or recnum to retrieve in logged order. Applicable only when eventlog is a database.
orderdirection=asc\|desc	Attribute specifying "asc" or "desc" ordering. Applicable only when eventlog is a database.
dump=0\|1	When set (dump=1), retrieves accept and finish events separately. Default value: dump=0 Filter available from EPM-UL version 21.1
uniqueid, etype, runhost, submithost, runuser, submituser, runcommand, exitstatus	etype=[A\|R\|K] for ‘A’ccept, ‘R’eject and ‘K’eystroke events respectively. [runhost\|submithost\|runuser\|submituser\|runcommand\|exitstatus] = <value> These are the wildcard matched attributes to filter the events based on a value specified. Example: pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events etype=[A\|R\|K] runhost\|submithost\|runuser\|submituser\|runcommand\|exitstatus]=<value> Finish events can be retrieved only when dump=1 pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events etype=F dump=1 runhost\|submithost\|runuser\|submituser\|runcommand\|exitstatus]=<value>

recnum is returned for every retrieved record and can be used as the next start. Flat-file searching also returns offset which can be used in next requests.

To fetch events in batches, use offset attribute for database type eventlog and use start attribute for a flatfile.

If you know the file offset of previous record for a flatfile eventlog, you can mention offset=<fileoffset> to get next set of events in flatfile type of eventlog, otherwise use start=<count of events> to fetch the events in batches. File offset for a flatfile eventlog can be known from previous REST calls.

Example:

In an eventlog database, to fetch the 3rd batch of events with a batchsize of 100, use the API as below.

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events offset=200 limit=100

In a flatfile eventlog, to fetch the 3rd batch of events with the batch size of 100, use the API as below.

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events start=200 limit=100

Following is the syntax of a REST call with all the attributes and filters,

pbrestcall -a <appid> -k <key> -l -X GET
https://<host>:24351/REST/v2/events order=<field> orderdirection=[asc|desc] limit=<number_of_rows> start=<start_recnum> end=<end_recnum> offset=<offset> from=<from_date> to=<to_date> verbose=[1|0] dump=[1|0] etype=[A|R|K|F] [runhost|submithost|runuser|submituser|runcommand|exitstatus]=<*>

Other attributes include format, file and dsn. Following section describes more about them.

List Events by Eventdestination

For SQLite DB

GET https://<host>:24351/REST/v2/events?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>&format=db

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=db

or nothing since that is the default.

To retrieve events from a specific SQLite database file,

GET https://<host>:24351/REST/v2/events?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>&format=db&file=<file>

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=db file=<file>

For ODBC

You must set the DSN.

GET https://<host>:24351/REST/v2/events?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>&format=odbc&dsn=<DSN>

pbrestcall -a <appid> -k <key> -l -X GET
https://<host>:24351/REST/v2/events format=odbc dsn=<DSN>

For Flat File

You must set the file name.

GET https://<host>:24351/REST/v2/events?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>&format=ff&file=<file>

pbrestcall -a <appid> -k <key> -l -X GET https://<host>:24351/REST/v2/events format=ff file=<file>

You can also use an old version of API with limited filters for a flat file.

GET https://pbuild:24351/REST/events?appid=<appid>&timestamp=<timestamp>&hmac=<hmac>

RESPONSE {"time":0,"events":[{"runuser":"root","id":"c0a8108a52775f9781521","time":"08:49:27","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["typeset","x","SHELL","PATH","HOME"],"runhost":"pbuild","date":"2013/11/04","user":"root","exitstatus":"local
shellbuiltin","runargv":["typeset","-x","SHELL","PATH","HOME"]},{"runuser":"root","id":"c0a8108a528ce1a0462F","time":"16:21:52","masterhost":"pbuild","submithost":"pbuild","event":"Reject","argv":["bash"],"runhost":"pbuild","date":"2013/11/20","user":"root","exitstatus":"","runargv":["bash"]},{"runuser":"root","id":"c0a8108a5285f5d350FE","time":"10:22:11","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["pbguid","policy"],"runhost":"pbuild","date":"2013/11/15","user":"root","exitstatus":"Authorized","runargv":["pbguid","policy"]},{"runuser":"ctaylor","id":"c0a8108a528ce3414793","time":"16:28:49","masterhost":"pbuild","submithost":"pbuild","event":"Accept","argv":["CSV","ctaylor","udev","bash#csh"],"runhost":"192.168.16.138","date":"2013/11/20","user":"ctaylor","exitstatus":"Command finished with exit status 0","runargv":["echo",""]}, ...

To enable the filtering of events, parameters can be passed to this REST endpoint.

accept=0\|1	(default=1) Return Accept events
reject=0\|1	(default=1) Return Reject events
keystroke=0\|1	(default=1) Return events that resulted in an IO Log

These three filters are combined logically "OR" and should all be specified to limit the return of events.