Audit Events

There are various audit events that can be enabled and stored within Privilege Management for Unix and Linux. These include Configuration Change Management, File Integrity Monitoring events, Advanced Keystroke Action events, and License events. These events are enabled on clients and servers, and are logged on the log server. Each type of event has a taxonomy to distinguish the type of data that it contains. There are various settings that affect the audit event log.

eventdb

  • Version 8.5.0 and earlier: eventdb setting not available.
  • Version 9.0.0 and later: eventdb setting available.

The eventdb setting details where Audit events are stored on the log server if there is no specific configuration using the eventdestinations setting. If a relative path is specified, the databasedir setting is used to derive the full path.

eventdb /mypath/pbevent.db
eventdb /opt/<prefix>pbul<suffix>/dbs/pbevent.db

All hosts

eventdestinations

  • Version 9.4.1 and earlier: eventdestinations setting not available.
  • Version 9.4.3 and later: eventdestinations setting for Audit events available.
  • Version 10.3.0 and later: eventdestinations setting for Authorization events available.

The eventdestinations setting allows the configuration of where each taxonomy of Audit events is logged. Starting in v10.3.0, this setting can also be used to configure destinations for authorization events.

eventdestinations <taxonomy>=<destination> …
Taxonomy Event Type
chgmgt Configuration Change Management
client Client Registration
fimrpt File Integrity Monitoring
errlog Miscellaneous Error Logging via REST (including ACA and user-defined errors)
aka Advanced Keystroke Action
license License Events
policydbg Policy Language Debugging
authevt accept, reject, finish, keystroke events

The destination can be one or more database, syslog, flat text file, or passed into a script or binary for processing:

  • db=/path: Outputs the event to a database.
  • db: Outputs the event to the database specified in the eventdb settings
  • syslog: Outputs the event to the local syslog service, using the syslog configuration in pb.settings.
  • /directory/file: An absolute path to a file which is appended with the event in text in the specified format.
  • |/directory/script: Passes the event on standard input into the script or binary specified.

Within each taxonomy, one or more destinations can be specified, separated by commas. If specifying more than one taxonomy or combining with Authorization Event Logging eventdestinations option, each group should be delimited with a space.

eventdestinations chgmgt=db

Event destinations can be combined, separated by commas, to enable logging to multiple services:

eventdestinations   chmgt=db,syslog,/var/adm/pbchmgt.log

Multiple Audit Event and Authorization Event destinations can be combined using a space delimiter:

eventdestinations   chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog
eventdestinations   authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog

By default, all events are logged to the database specified by eventdb.

Log servers

For more information, please see eventdestinations setting description in Authorization Event Logging.

eventformats

  • Version 9.3.3 and earlier: eventformats setting not available.
  • Version 9.4.4 and later: eventformats setting available.

Events that are not logged into a database can be logged in two different formats:

  • Labeled Comma Separated Values, where values take the form <attribute_name>=<value>,...
  • JSON format
eventformatschgmgt=json license=csv

By default, all events are logged in JSON format.

Log servers