Audit Events
There are various audit events that can be enabled and stored within EPM-UL .
eventdb
- Version 8.5.0 and earlier: eventdb setting not available.
- Version 9.0.0 and later: eventdb setting available.
The eventdb setting details where Audit events are stored on the log server if there is no specific configuration using the eventdestinations setting. If a relative path is specified, the databasedir setting is used to derive the full path.
eventdb /mypath/pbevent.db
Default
eventdb /opt/<prefix>pbul<suffix>/dbs/pbevent.db
Used On
All hosts
eventdestinations
- Version 9.4.1 and earlier: eventdestinations setting not available.
- Version 9.4.3 and later: eventdestinations setting for Audit events available.
- Version 10.3.0 and later: eventdestinations setting for Authorization events available.
The eventdestinations setting allows the configuration of where each taxonomy of Audit events is logged.
Syntax
eventdestinations <taxonomy>=<destination> …
Taxonomy | Event Type |
---|---|
chgmgt | Configuration Change Management |
client | Client Registration |
fimrpt | File Integrity Monitoring |
errlog | Miscellaneous Error Logging via REST (including ACA and user-defined errors) |
aka | Advanced Keystroke Action |
license | License Events |
policydbg | Policy Language Debugging |
authevt | accept, reject, finish, keystroke events |
The destination can be one or more database, syslog, flat text file, or passed into a script or binary for processing:
- db=/path: Outputs the event to a database.
- db: Outputs the event to the database specified in the eventdb settings
- syslog: Outputs the event to the local syslog service, using the syslog configuration in pb.settings.
- /directory/file: An absolute path to a file which is appended with the event in text in the specified format.
- |/directory/script: Passes the event on standard input into the script or binary specified.
Within each taxonomy, one or more destinations can be specified, separated by commas. If specifying more than one taxonomy or combining with Authorization Event Logging eventdestinations option, each group should be delimited with a space.
eventdestinations chgmgt=db
Event destinations can be combined, separated by commas, to enable logging to multiple services:
eventdestinations chmgt=db,syslog,/var/adm/pbchmgt.log
Multiple Audit Event and Authorization Event destinations can be combined using a space delimiter:
eventdestinations chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog
eventdestinations authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog
Default
By default, all events are logged to the database specified by eventdb.
Used On
Log servers
For more information, see eventdestinations.
eventformats
- Version 9.3.3 and earlier: eventformats setting not available.
- Version 9.4.4 and later: eventformats setting available.
Events that are not logged into a database can be logged in two different formats:
- Labeled Comma Separated Values, where values take the form <attribute_name>=<value>,...
- JSON format
eventformatschgmgt=json license=csv
Default
By default, all events are logged in JSON format.
Used On
Log servers