Authorization Event Logging in EPM-UL

Authorization Event Logging

EPM-UL records the following authorization events in the event log file on the log host or Policy Server host (if not using a log server):

Accept and Reject events (including policy variables) for all tasks.
Keystroke patterns set by keystrokeactions and task finish information for jobs that are not run in local mode. This file can be reviewed through the EPM-UL GUI or with the pblog command.

The event log is stored in a flat file whose path may be defined by the eventlog variable in the policy, eventdestinations setting, or eventlog setting.

Store Eventlog Records in a Database

SQLite Database

Starting with v10.3.0, event log records can be written to an SQLite database using the setting below which can optionally accept a path name:

eventdestinations authevt=db[=</path/to/database>]

If no specific file is given, the path in the eventlog variable is used (it suffixes .db to the filename, if the filename does not already include a .db at the end).

This is the default eventlog type for EPM-UL v10.3.0, v10.3.1, and v10.3.2.

The pblog program will automatically detect if an eventlog is an SQLite database and read it accordingly. To force the SQLite database read mode, use the pblog option "--db".

For more information, see eventdestinations.

MySQL and Oracle Database using ODBC Connectors

Starting with v10.3.0, event log records can be sent to an Oracle or MySQL database using the ODBC connector on the log server.

If eventdestinations is set to authevt=odbc=<MyDSN>, the event log records are logged to the ODBC DSN specified in the setting and found in the ODBC configuration files. The value of eventlog in pb.settings is ignored, and the event log records are written to the ODBC DSN specified in odbc.ini and odbcinst.ini in the odbcinidir directory (or default /opt/pbul/etc). If the eventlog variable is defined in the policy, then the event log records are written to both the path and file in the policy (in flat file format), and in the ODBC database. For pblog, use the option --odbc -f <MyDSN> to read the MySQL/Oracle database.

Event destinations can be combined, using commas, to enable logging to multiple services.

eventdestinations authevt=db,odbc=MySQL,/var/log/eventlog.flatfile

The setting anydestinationsufficient controls how the events are written to multiple destinations:

If set to no (default), it requires that the event be written to all defined destinations (db, odbc, flat-file) before it is removed from the message queue. If one destination is down, it keeps the event on the message queue until the event is successfully written to all destinations.

If the event was already written to a destination (in case of a flat file), the next attempt may create a duplicate record.

If it is set to yes, it attempts to write each event to every destination. If any one of them fails, as long as the attempt to any destination succeeds, it proceeds to the next event.

In a BeyondInsight integrated environment, EPM-UL can optionally send the events to BeyondInsight Web Services. Events can then be viewed on BeyondInsight GUI and can also be queried using the standard BeyondInsight report plug-in.

For more information, see the following:

For instructions on installing the ODBC connectors on the log servers, the Installation Guide
BeyondInsight Event Logging

eventdestinations

Version 9.4.1 and earlier: eventdestinations setting not available.
Version 9.4.3 and later: eventdestinations setting for Audit events available.
Version 10.3.0 and later: eventdestinations setting for Authorization events available.

The eventdestinations setting allows the configuration of where events are logged. Prior to v10.3.0, this setting is used only for audit events. Starting in v10.3.0, it has been augmented to support authorization event logging using the keyword authevt.

For more information about configuring eventdestinations setting for audit events, see Audit Events.

Syntax

eventdestinations authevt=<destination>

Where destination can be one or a combination of database, syslog, flat file, or passed into a script or binary for processing:

db: Write the event log records to an SQLite database whose path is specified in the eventlog setting.
db=/path/to/database.db: Write the event log records to the named SQLite database.
/path/to/flatfile: Write the event log records to flat file.
odbc=DSN: Log the event records to the configured ODBC DSN (Data Source Name).
syslog: Write the event log records to the local syslog service, using the syslog configuration in pb.settings.
|/path/to/script: Will log the event to the script or binary specified.

If eventdestinations is omitted or commented out in the settings, EPM-UL defaults to using flat file eventlog format.

Within the authevt group, a combination of each destination type can be specified, separated by commas. If combining with Audit events options, each new group should be delimited with a space.

authevt Usage

authevt=db	The path to the default database is set using either eventlog setting, or it defaults to /{var\|usr}/{adm\|log}/pb.eventlog.db. If the eventlog variable is defined in the policy, then the event log records are written to both the path and file in the policy (in flat file format), and the path/file defined by the eventlog setting (in SQLite database format). If eventlog in pb.settings is set to a filename without .db at the end, a .db is implicitly added. For example, if eventlog is set to /var/log/pb_event_file, the file name is changed to /var/log/pb_event_file.db.
authevt=db=/path/to/database.db	This option allows different database names in the eventdestinations setting. The value of eventlog in pb.settings is ignored. When writing the event log records the path/file is /path/to/database.db. If the eventlog variable is defined in the policy, then the event log records are written to both the path/file defined in the policy (in flat file format), and the path/file defined by this setting in SQLite database format.
authevt=/path/to/flatfile	This option logs events in the flat-file format specified in the setting. The value of eventlog in pb.settings is ignored, and the file name (/path/to/flatfile) is used when writing the event log records. If the eventlog variable is defined in the policy, then the flat-file event log is created using that path instead of the value (/path/to/flatfile) specified in this setting.
authevt=odbc=MyDSN	This option logs events to the ODBC DSN specified in the setting and found in the ODBC configuration files. The value of eventlog in pb.settings is ignored, and the event log records are written to the ODBC DSN set in odbc.ini and odbcinst.ini in the directory odbcinidir (or default /opt/pbul/etc). If the eventlog variable is defined in the policy, then the event log records are written to both the path/file defined in the policy (in the flat file format), and in the ODBC database.
authevt=syslog	This option logs events to the local hosts syslog service in a JSON format.
authevt=\|/path/to/script	This option logs events to a script or binary in JSON format.

To avoid running out of resources during heavy load while support authentication events to a program (eventdestinations authevt=|program), pblighttpd-svc must be started with unlimited NOFILES and NPROC, at least.

For more information, see pblighttpd Service.

eventdestinations authevt=db

Event destinations can be combined, separated by commas, to enable logging to multiple services:

eventdestinations authevt=db,/var/adm/pb.eventlog.flat,odbc=MySQL,syslog

Authorization Event and Audit Event destinations can be combined using a space delimiter:

eventdestinations authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog

Default

eventdestinations authevt=<eventlog>

Used On

Log servers
Policy server hosts (If a log host is not used)

For more information on how to configure for other types of supported events, see eventdestinations.

eventlog

Version 4.0.0 and later: eventlog setting available.
Version 10.3.0 and later: eventlog setting usage modified.

The eventlog setting specifies the default location of the flat file or SQLite database event log.

If eventdestinations setting is omitted from the settings file or does not have an explicit “authevt=” designation, EPM-UL writes authorization events in flat file format to the location in the eventlog setting by default.

The eventdestinations setting "authevt=db" configures authorization events to be written to an event log in SQLite database format, in which case, the eventlog setting provides the pathname of the event log (with .db suffix).

Any parent directory in the path is automatically created.

When pblog is invoked with no specific eventlog filename and eventdestinations setting does not explicitly define a path for a flat file (authevt=<path>) or SQLite database (authevt=db=<path>), it will try to read the path in the eventlog setting. If eventdestinations is set to "authevt=db", pblog will implicitly append “.db” to the path first before reading it.

eventlog /var/log/my.event.log

Default

Depending on the operating system standards, this can be any of the following:

eventlog /var/log/<prefix>pb.eventlog<suffix>

eventlog /var/adm/<prefix>pb.eventlog<suffix>

eventlog /usr/adm/<prefix>pb.eventlog<suffix>

Used on

Log hosts
Policy server hosts (If a log host is not used)

syslog

Version 4.0.0 and later: syslog setting available.

Enables sending diagnostic messages to syslog, using the facility setting.

To enable syslog recording of diagnostic messages, set syslog to yes.

syslog yes

Default

syslog yes

Used on

Log hosts
Policy server hosts
Run hosts
Submit hosts

For more information, see facility.

facility

Version 4.0.0 and later: facility setting available.

The messages that the EPM-UL programs transmit to the syslog facility are labeled with a syslog level. This level (as well as the severity that is specified internally to EPM-UL on a per message basis) is used by the syslog facility and handled according to the rules in the syslog configuration file (typically /etc/syslog.conf). If EPM-UL messages are not appearing in syslog, then verify that syslog.conf is handling the facility that you are using as expected.

To specify the syslog facility for logging to the Unix/Linux syslog subsystem, set facility appropriately. Some commonly available facilities include:

LOG_AUTH
LOG_AUTHPRIV (Linux).
- Only supported in Endpoint Privilege Management for Unix and Linux 7.1.0 and later.
LOG_USER
LOG_MAIL
LOG_DAEMON
LOG_LPR
LOG_NEWS
LOG_UUCP
LOG_CRON
LOG_LOCAL0 through LOG_LOCAL7

facility LOG_DAEMON

Default

facility LOG_AUTH

Used on

Log hosts
Policy server hosts if a log host is not used

anydestinationsufficient

Version 10.2.0 and earlier: anydestinationsufficient setting not available.
Version 10.3.0 and later: anydestinationsufficient setting available.

This setting controls how the events are written to multiple destinations.

When set to no, anydestinationsufficient writes an event to all defined destinations (db, odbc, flat file). All destinations must be up and running. If one destination is down, the event is retained in the message router write queue until it is successfully written to all event log destinations. This is the default behavior.

When set to yes, anydestinationsufficient writes the event to one destination at a time. If one destination is down, and the event has already been written to at least one database (db, odbc, flat file), then it skips the destination for that event, and moves on to the next event. The database that is down does not have all the events. However, pblog can be used to get the events from one destination and write it to another.

anydestinationsufficient yes

Default

Used On

Log servers

odbcinidir

Version 10.2.0 and earlier: odbcinidir setting not available.
Version 10.3.0 and later: odbcinidir setting available.

The odbcinidir setting provides the path where odbc.ini and odbcinst.ini are read from when eventdestinations is set to authevt=odbc=<DSN>.

odbc.ini: Provides authentication details for the ODBC database.
odbcinst.ini: Includes driver details where shared libraries reside.

odbcinidir /etc/odbc

Default

odbcinidir /opt/<prefix>pbul<suffix>/etc