Authorization Event Logging

Privilege Management for Unix and Linux records the following authorization events in the event log file on the log host or Policy Server host (if not using a log server):

  • Accept and Reject events (including policy variables) for all tasks.
  • Keystroke patterns set by keystrokeactions and task finish information for jobs that are not run in local mode. This file can be reviewed through the Privilege Management for Unix and Linux GUI or with the pblog command.

Store Eventlog Records in a Database

SQLite Database

Starting with v10.3.0, event log records are now written by default to an SQLite database. The new keyword, eventdestinations authevt=<value> determines the type of destination.

By default, even when upgrading from an older version of the product, eventdestinations defaults to authevt=db, which creates an SQLite database using the value of the eventlog variable (it suffixes .db to the filename, if the filename does not already include a .db at the end).

The database name can also be set using eventdestinations authevt=db=</path/to/database>. To revert to the old flat file format, eventdestinations authevt=</path/to/filename> needs to be used. If the eventlog variable is defined in the policy, the flat file format is used.

The binary pblog now defaults to reading an SQLite database, using the file specified in eventlog. You can also use the option --db -f </path/to/database> to specify a different file name. To read a flat file, use --ff -f </path/to/filename>.

For more information, please see eventdestinations.

MySQL and Oracle Database using ODBC Connectors

Starting with v10.3.0, event log records can be send to an Oracle or MySQL database using the ODBC connector on the log server.

If eventdestinations is set to authevt=odbc=<MyDSN>, the event log records are logged to the ODBC DSN specified in the setting and found in the ODBC configuration files. The value of eventlog in pb.settings is ignored, and the event log records are written to the ODBC DSN specified in odbc.ini and odbcinst.ini in the odbcinidir directory (or default /opt/pbul/etc). If the eventlog variable is defined in the policy, then the event log records are written to both the path and file in the policy (in flat file format), and in the ODBC database. For pblog, use the option --odbc -f <MyDSN> to read the MySQL/Oracle database.

Event destinations can be combined, using commas, to enable logging to multiple services.

eventdestinations authevt=db,odbc=MySQL,/var/log/eventlog.flatfile

The setting anydestinationsufficient controls how the events are written to multiple destinations:

  • If set to no (default), it requires that the event be written to all defined destinations (db, odbc, flat-file) before it is removed from the message queue. If one destination is down, it keeps the event on the message queue until the event is successfully written to all destinations.

If the event was already written to a destination (in case of a flat file), the next attempt may create a duplicate record.

  • If it is set to yes, it attempts to write each event to every destination. If any one of them fails, as long as the attempt to any destination succeeds, it proceeds to the next event.

In a BeyondInsight integrated environment, Privilege Management for Unix and Linux can optionally send the events to BeyondInsight Web Services. Events can then be viewed on BeyondInsight GUI and can also be queried using the standard BeyondInsight report plug-in.

For more information, please see the following:

eventdestinations

  • Version 9.4.1 and earlier: eventdestinations setting not available.
  • Version 9.4.3 and later: eventdestinations setting for Audit events available.
  • Version 10.3.0 and later: eventdestinations setting for Authorization events available.

The eventdestinations setting allows the configuration of where events are logged. Prior to v10.3.0, this setting is used only for audit events. Starting in v10.3.0, it has been augmented to support authorization event logging using the keyword authevt.

For more information about configuring eventdestinations setting for audit events, please see Audit Events.

eventdestinations authevt=<destination>

Where destination can be one or a combination of database, syslog, flat text file, or passed into a script or binary for processing:

  • db: Write the event log records to an SQLite database whose path is specified in the eventlog setting.
  • db=/path/to/database.db: Write the event log records to the named SQLite database.
  • /path/to/flatfile: Write the event log records to flat file.
  • odbc=DSN: Log the event records to the configured ODBC DSN (Data Source Name).
  • syslog: Write the event log records to the local syslog service, using the syslog configuration in pb.settings.
  • |/path/to/script: Will log the event to the script or binary specified.

Within the authevt group, a combination of each destination type can be specified, separated by commas. If combining with Audit events options, each new group should be delimited with a space.

authevt=db

Default.

The path to the default database is set using either eventlog setting, or it defaults to /var/{adm|log}/pb.eventlog.db.

If the eventlog variable is defined in the policy, then the event log records are written to both the path and file in the policy (in flat file format), and the path/file defined by the eventlog setting (in SQLite database format).

If eventlog in pb.settings is set to a filename without .db at the end, a .db is implicitly added. For example, if eventlog is set to /var/log/pb_event_file, the file name is changed to /var/log/pb_event_file.db.

authevt=db=/path/to/database.db

This option allows different database names in the eventdestinations setting.

The value of eventlog in pb.settings is ignored. When writing the event log records the path/file is /path/to/database.db. If the eventlog variable is defined in the policy, then the event log records are written to both the path/file defined in the policy (in flat file format), and the path/file defined by this setting in SQLite database format.

authevt=/path/to/flatfile

This option logs events in the flat-file format specified in the setting.

The value of eventlog in pb.settings is ignored, and the file name (/path/to/flatfile) is used when writing the event log records.

If the eventlog variable is defined in the policy, then the flat-file event log is created using that path instead of the value (/path/to/flatfile) specified in this setting.

authevt=odbc=MyDSN

This option logs events to the ODBC DSN specified in the setting and found in the ODBC configuration files.

The value of eventlog in pb.settings is ignored, and the event log records are written to the ODBC DSN set in odbc.ini and odbcinst.ini in the directory odbcinidir (or default /opt/pbul/etc).

If the eventlog variable is defined in the policy, then the event log records are written to both the path/file defined in the policy (in the flat file format), and in the ODBC database.

authevt=syslog This option logs events to the local hosts syslog service in a JSON format.
authevt=|/path/to/script This option logs events to a script or binary in JSON format.

To avoid running out of resources during heavy load while support authentication events to a program (eventdestinationsauthevt=|program), pblighttpd-svc must be started with unlimited NOFILES and NPROC, at least. For example, on Linux with systemd.

For more information, please see pblighttpd Service.

eventdestinations authevt=db
Event destinations can be combined, separated by commas, to enable logging to multiple services:
eventdestinations authevt=db,/var/adm/pb.eventlog.flat,odbc=MySQL,syslog
Authorization Event and Audit Event destinations can be combined using a space delimiter:
eventdestinations authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog
eventdestinations authevt=db
  • Log servers
  • Policy server hosts (If a log host is not used)

For more information on how to configure for other types of supported events, please see eventdestinations.

eventlog

  • Version 4.0.0 and later: eventlog setting available.
  • Version 10.3.0 and later: eventlog setting usage modified.

The default eventdestinations setting authevt=db configures authorization events to be written to an event log in SQLite database format. In this case, the eventlog setting provides the pathname of that event log (with an implicit .db suffix). Also, when pblog is invoked without a specific filename, it uses the pathname of eventlog (with an implicit .db suffix) and assumes it is SQLite database.

If the eventdestinations setting is anything other than the default authevt=db, when pblog is invoked with no specific filename, it looks up the value of the eventlog setting as is, and assumes it is a SQLite database.

Any parent directory in the path is automatically created.

eventlog /var/log/my.event.log

Depending on the operating system standards, this can be any of the following:

eventlog /var/log/<prefix>pb.eventlog.db<suffix>
eventlog /var/adm/<prefix>pb.eventlog.db<suffix>
eventlog /usr/adm/<prefix>pb.eventlog.db<suffix>
  • Log hosts
  • Policy server hosts (If a log host is not used)

syslog

  • Version 4.0.0 and later: syslog setting available.

Enables sending diagnostic messages to syslog, using the facility setting.

To enable syslog recording of diagnostic messages, set syslog to yes.

syslog yes
syslog yes
  • Log hosts
  • Policy server hosts
  • Run hosts
  • Submit hosts

For more information, please see facility.

facility

  • Version 4.0.0 and later: facility setting available.

The messages that the Privilege Management for Unix and Linux programs transmit to the syslog facility are labeled with a syslog level. This level (as well as the severity that is specified internally to Privilege Management for Unix and Linux on a per message basis) is used by the syslog facility and handled according to the rules in the syslog configuration file (typically /etc/syslog.conf). If Privilege Management for Unix and Linux messages are not appearing in syslog, then verify that syslog.conf is handling the facility that you are using as expected.

To specify the syslog facility for logging to the Unix/Linux syslog subsystem, set facility appropriately. Some commonly available facilities include:

  • LOG_AUTH
  • LOG_AUTHPRIV (Linux and macOS).
    • Only supported in Privilege Management for Unix and Linux 7.1.0 and later.
  • LOG_USER
  • LOG_MAIL
  • LOG_DAEMON
  • LOG_LPR
  • LOG_NEWS
  • LOG_UUCP
  • LOG_CRON
  • LOG_LOCAL0 through LOG_LOCAL7
facility LOG_DAEMON
facility LOG_AUTH
  • Log hosts
  • Policy server hosts if a log host is not used

anydestinationsufficient

  • Version 10.2.0 and earlier: anydestinationsufficient setting not available.
  • Version 10.3.0 and later: anydestinationsufficient setting available.

This setting controls how the events are written to multiple destinations.

When set to no, anydestinationsufficient writes an event to all defined destinations (db, odbc, flat file). All destinations must be up and running. If one destination is down, the event is retained in the message router write queue until it is successfully written to all event log destinations. This is the default behavior.

When set to yes, anydestinationsufficient writes the event to one destination at a time. If one destination is down, and the event has already been written to at least one database (db, odbc, flat file), then it skips the destination for that event, and moves on to the next event. The database that is down does not have all the events. However, pblog can be used to get the events from one destination and write it to another.

anydestinationsufficient yes

no

Log servers

odbcinidir

  • Version 10.2.0 and earlier: odbcinidir setting not available.
  • Version 10.3.0 and later: odbcinidir setting available.

The odbcinidir setting provides the path where odbc.ini and odbcinst.ini are read from when eventdestinations is set to authevt=odbc=<DSN>.

  • odbc.ini: Provides authentication details for the ODBC database.
  • odbcinst.ini: Includes driver details where shared libraries reside.
odbcinidir /etc/odbc
odbcinidir /opt/<prefix>pbul<suffix>/etc