Audit Events in Endpoint Privilege Management for Unix and Linux

Audit Events

There are various audit events that can be enabled and stored within EPM-UL . These include Configuration Change Management, File Integrity Monitoring events, Advanced Keystroke Action events, and License events. These events are enabled on clients and servers, and are logged on the log server. Each type of event has a taxonomy to distinguish the type of data that it contains. There are various settings that affect the audit event log.

eventdb

Version 8.5.0 and earlier: eventdb setting not available.
Version 9.0.0 and later: eventdb setting available.

The eventdb setting details where Audit events are stored on the log server if there is no specific configuration using the eventdestinations setting. If a relative path is specified, the databasedir setting is used to derive the full path.

eventdb /mypath/pbevent.db

Default

eventdb /opt/<prefix>pbul<suffix>/dbs/pbevent.db

Used On

All hosts

eventdestinations

Version 9.4.1 and earlier: eventdestinations setting not available.
Version 9.4.3 and later: eventdestinations setting for Audit events available.
Version 10.3.0 and later: eventdestinations setting for Authorization events available.

The eventdestinations setting allows the configuration of where each taxonomy of Audit events is logged. Starting in v10.3.0, this setting can also be used to configure destinations for authorization events.

Syntax

eventdestinations <taxonomy>=<destination> …

Taxonomy	Event Type
chgmgt	Configuration Change Management
client	Client Registration
fimrpt	File Integrity Monitoring
errlog	Miscellaneous Error Logging via REST (including ACA and user-defined errors)
aka	Advanced Keystroke Action
license	License Events
policydbg	Policy Language Debugging
authevt	accept, reject, finish, keystroke events

The destination can be one or more database, syslog, flat text file, or passed into a script or binary for processing:

db=/path: Outputs the event to a database.
db: Outputs the event to the database specified in the eventdb settings
syslog: Outputs the event to the local syslog service, using the syslog configuration in pb.settings.
/directory/file: An absolute path to a file which is appended with the event in text in the specified format.
|/directory/script: Passes the event on standard input into the script or binary specified.

Within each taxonomy, one or more destinations can be specified, separated by commas. If specifying more than one taxonomy or combining with Authorization Event Logging eventdestinations option, each group should be delimited with a space.

eventdestinations chgmgt=db

Event destinations can be combined, separated by commas, to enable logging to multiple services:

eventdestinations   chmgt=db,syslog,/var/adm/pbchmgt.log

Multiple Audit Event and Authorization Event destinations can be combined using a space delimiter:

eventdestinations   chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog

eventdestinations   authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog

Default

By default, all events are logged to the database specified by eventdb.

Used On

Log servers

For more information, see eventdestinations.

eventformats

Version 9.3.3 and earlier: eventformats setting not available.
Version 9.4.4 and later: eventformats setting available.

Events that are not logged into a database can be logged in two different formats:

Labeled Comma Separated Values, where values take the form <attribute_name>=<value>,...
JSON format

eventformatschgmgt=json license=csv

Default

By default, all events are logged in JSON format.

Used On

Log servers