BeyondInsight I/O Log Indexing and Searching

Starting with version 7.5, Endpoint Privilege Management can index I/O log files for an improved search capability using BeyondInsight Search GUI. Each log server and policy server host can communicate with a Solr server, submitting I/O log output data for indexing.

BeyondInsight provides a search GUI, allowing users to search indexed I/O logs.

The settings in this section enable and configure the indexing of I/O Log files with Solr.

For more information, see BeyondInsight Event and I/O Logging Common Settings.

Solrhost

  • Version 7.1 and earlier: Solrhost setting not available.
  • Version 7.5 and later: Solrhost setting available.

The hostname where the Solr server is installed. This keyword does not support the EPM-ULEPM-L extended settings such as interface.

Solrhost mySolrhost.mydomain

Default

No default value

Solrport

  • Version 7.1 and earlier: Solrport setting not available.
  • Version 7.5 and later: Solrport setting available.

The port number used to communicate with the Solr server.

Solrport 8443

Default

Solrport 8443

Used On

  • Policy server hosts
  • Log hosts

Solrvariables

  • Version 7.1 and earlier: Solrvariables setting not available.
  • Version 7.5 and later: Solrvariables setting available.

A list of EPM-ULEPM-L policy variables, ending in _pbul that is used as stored data in Solr.

Solrvariables role_pbul list_pbul ticket_pbul

Default

No default value

Used On

  • Policy server hosts
  • Log hosts

Solrclientkeyfile

  • Version 7.1 and earlier: Solrclientkeyfile setting not available.
  • Version 7.5 and later: Solrclientkeyfile setting available.

Specifies a PEM format file containing the private key for a Solr client. The Solr server must be configured to have its Java keystore contain the Certificate Authority Certificate (CA cert) that signed the client's public certificate.

Solrclientkeyfile /etc/Solr.myhost.client.key.pem

Default

No default value

Used On

  • Policy server hosts
  • Log hosts

Solrclientcertfile

  • Version 7.1 and earlier: Solrclientcertfile setting not available.
  • Version 7.5 and later: Solrclientcertfile setting available.

Specifies a PEM format file containing the public certificate for the Solr client private key. The Solr server must be configured to have its Java keystore contain the Certificate Authority Certificate (CA cert) that signed the client’s public certificate.

Solrclientcertfile /etc/Solr.myhost.client.cert.pem

Default

No default value

Used On

  • Policy server hosts
  • Log hosts

Solrcafile

  • Version 7.1 and earlier: Solrcafile setting not available.
  • Version 7.5 and later: Solrcafile setting available.

Specifies a PEM format file containing the Certificate Authority Certificate (CA cert) for the CA that signed the Solr server’s SSL certificate. If this keyword is specified in pb.settings, pbreplay initiates an SSL connection to the Solr server. The Solrport keyword must be set to a port that Solr is using for HTTPS/SSL traffic.

Solrcafile /etc/Solr.myhost.ca.pem

Default

No default value

Used On

  • Policy server hosts
  • Log hosts

iologactiondb

  • Version 9.4.5 and earlier: iologactiondb setting not available.
  • Version 10.0 and later: iologactiondb setting available.

Optionally specifies the path and file name of a database used internally to schedule iolog indexing. This prevents too many pbreplay processes from overloading the system. If not specified, the default pbiologaction.db in the database directory is used.

iologactiondb /opt/pbul/dbs/action.db

Default

iologactiondb /opt/<prefix>pbul<suffix>/dbs/pbiologaction.db

Used On

  • Policy server hosts
  • Log hosts

iologactioninterval

  • Version 10.0.0 and earlier: iologactioninterval not available.
  • Version 10.0.1 and later: iologactioninterval available.

Optionally specifies the interval at which the scheduler checks to see if I/O logs need to be processed for Solr or iologcloseactions. The default is 60 seconds, and the minimum is 30 seconds.

iologactioninterval 120

Default

iologactioninterval 60

Used On

  • Policy server hosts
  • Log hosts

iologactionmaxprocs

  • Version 9.4.5 and earlier: iologactionmaxprocs not available.
  • Version 10.0 and later: iologactionmaxprocs available.

Optionally specifies a limit to the number of simultaneous pbreplay processes that can index I/O logs to Solr. This prevents too many pbreplay processes from overloading the system. If not specified, the default pbiologaction.db in the database directory is used.

iologactionmaxprocs 120

Default

iologactionmaxprocs 4

Used On

  • Policy server hosts
  • Log hosts

iologactionqueuetimelimit

  • Version 10.0.0 and earlier: iologactionqueuetimelimit not available.
  • Version 10.0.1 and later: iologactionqueuetimelimit available.

Optionally specifies the time limit, in minutes, that an iolog can be held in the processing queue without a heartbeat from pblogd, before that iolog is marked as ready for Solr or iologcloseaction. The default is 720 minutes (12 hours).

iologactionqueuetimelimit 300

Default

iologactionqueuetimelimit 720

Used On

  • Policy server hosts
  • Log hosts

iologactionqueuetimeouts

  • Version 9.4.5 and earlier: iologactionqueuetimeouts available.
  • Version 10.0 and later: iologactionqueuetimeouts available.

The timeout values specified include:

  • [openread=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for the open for processing of pblicense write queues.
  • [openwrite=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for the open by clients to log transaction.
  • [write=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for waiting to write to the write queue.
  • [lock=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for waiting for exclusive lock when processing the pblicense write queues.
iologactionqueuetimeouts openread=1000,10,2.0 openwrite=30000,5,1.2 write=30000,5,1.2 lock=30000,5,1.2

Default

No default value

Used On

  • Policy server hosts
  • Log hosts

iologactionretry

  • Version 10.0.0 and earlier: iologactionretry not available.
  • Version 10.1.0 and later: iologactionretry available.

Optionally specifies the interval, in minutes, that an iolog must wait for a Solr or iologcloseaction retry. A Solr attempt is requeued in certain recoverable cases, such as when unable to reach the host. An iologcloseaction attempt is requeued if the iologcloseaction script returns -1. This delay allows time for the issue to be potentially resolved before the next attempt. The minimum is 5 minutes and the maximum is 2880 (48 hours).

iologactionretry  300

Default

iologactionretry 20

Used On

  • Policy server hosts
  • Log hosts

iologindexstorefile

  • Version 7.1 and earlier: iologindexstorefile setting not available.
  • Version 7.5 through 9.4.5 all OS: iologindexstorefile setting available.
  • Version 10.1.0 and later: iologindexstorefile setting not available.

The path and file name of the file used to store I/O log file names that failed to be forwarded to Solr due to an error. This file is periodically scanned by pblogd and the content forwarded to Solr, when the communication with Solr is reestablished.

iologindexstorefile /var/log/pb.iolog.store

Default

iologindexstorefile <default_log_directory>/pb.iolog.store

Used On

  • Policy server hosts
  • Log hosts

indexcommandtimestamps

  • Version 7.1 and earlier: indexcommandtimestamps setting not available.
  • Version 7.5 and later: indexcommandtimestamps setting available.

Used to disable command timestamps in the Solr index. Command timestamps in the Solr index can be used to search for commands that happened near a time. These timestamps are enabled by default.

indexcommandtimestamps no

Default

indexcommandtimestamps yes

Used On

  • Policy server hosts
  • Log hosts

indexlogsizelimit

  • Version 9.4.5 and earlier: indexlogsizelimit setting not available.
  • Version 10.0 and later: indexlogsizelimit setting available.

Used to set a size limit for I/O logs that can be indexed. The indexlogsizelimit keyword is an integer optionally followed by k|K|m|M|g|G. Any additional characters are ignored.

indexlogsizelimit 60M

Default

No default value

Used On

  • Policy server hosts
  • Log hosts

pbreplaylog

  • Version 7.1 and earlier: pbreplaylog setting not available.
  • Version 7.5 and later: pbreplaylog setting available .

pbreplaylog contains the name for pbreplay's diagnostic log file.

pbreplaylog /var/log/pbreplay.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pbreplaylog /var/log/pbreplay.log
pbreplaylog /usr/log/pbreplay.log
pbreplaylog /var/adm/pbreplay.log
pbreplaylog /usr/adm/pbreplay.log

Used On

  • Policy server hosts
  • Log hosts
  • GUI hosts

Solrindextimeout

  • Version 9.4.5 and earlier: Solrindextimeout setting not available.
  • Version 10.0 and later: Solrindextimeout setting available.

Used to set a time limit for I/O logs being indexed. If Solr indexing exceeds the specified time limit, indexing the current iolog is terminated. The time limit, specified in seconds, takes place for both the connection phase and the sending of each 5MB chunk to Solr. For example, if Solrindextimeout is set to 15, an iolog with 10MB stdout data might take up to 60 seconds connecting and talking to Solr before timing out. If Solrindextimeout is not set, or is set to -1, there is no timeout.

Solrindextimeout 120

Default

Solrindextimeout -1

Used On

  • Policy server hosts
  • Log hosts