There are various audit events that can be enabled and stored within Privilege Management for Unix and Linux. These include Configuration Change Management, File Integrity Monitoring events, Advanced Keystroke Action events, and License events. These events are enabled on clients and servers, and are logged on the log server. Each type of event has a taxonomy to distinguish the type of data that it contains. There are various settings that affect the audit event log.
- Version 8.5.0 and earlier: eventdb setting not available.
- Version 9.0.0 and later: eventdb setting available.
The eventdb setting details where Audit events are stored on the log server if there is no specific configuration using the eventdestinations setting. If a relative path is specified, the databasedir setting is used to derive the full path.
- Version 9.4.1 and earlier: eventdestinations setting not available.
- Version 9.4.3 and later: eventdestinations setting for Audit events available.
- Version 10.3.0 and later: eventdestinations setting for Authorization events available.
The eventdestinations setting allows the configuration of where each taxonomy of Audit events is logged. Starting in v10.3.0, this setting can also be used to configure destinations for authorization events.
eventdestinations <taxonomy>=<destination> …
|chgmgt||Configuration Change Management|
|fimrpt||File Integrity Monitoring|
|errlog||Miscellaneous Error Logging via REST (including ACA and user-defined errors)|
|aka||Advanced Keystroke Action|
|policydbg||Policy Language Debugging|
|authevt||accept, reject, finish, keystroke events|
The destination can be one or more database, syslog, flat text file, or passed into a script or binary for processing:
- db=/path: Outputs the event to a database.
- db: Outputs the event to the database specified in the eventdb settings
- syslog: Outputs the event to the local syslog service, using the syslog configuration in pb.settings.
- /directory/file: An absolute path to a file which is appended with the event in text in the specified format.
- |/directory/script: Passes the event on standard input into the script or binary specified.
Within each taxonomy, one or more destinations can be specified, separated by commas. If specifying more than one taxonomy or combining with Authorization Event Logging eventdestinations option, each group should be delimited with a space.
Event destinations can be combined, separated by commas, to enable logging to multiple services:
Multiple Audit Event and Authorization Event destinations can be combined using a space delimiter:
eventdestinations chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog
eventdestinations authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog
By default, all events are logged to the database specified by eventdb.
For more information, please see eventdestinations setting description in Authorization Event Logging.
- Version 9.3.3 and earlier: eventformats setting not available.
- Version 9.4.4 and later: eventformats setting available.
Events that are not logged into a database can be logged in two different formats:
- Labeled Comma Separated Values, where values take the form <attribute_name>=<value>,...
- JSON format
eventformats chgmgt=json license=csv
By default, all events are logged in JSON format.