I/O Log Indexing and Searching

In a BeyondInsight integrated environment, using Solr servers, each log server and policy server host can communicate with a Solr server, submitting Privilege Management for Unix and Linux I/O log output data for indexing.

BeyondInsight provides a search GUI, allowing users to search indexed I/O logs.

For more information about enabling this feature, please see BeyondInsight I/O Log Indexing and Searching.

iologack

  • Version 6.0 and earlier: iologack setting not available.
  • Version 6.2.5 and later: iologack setting available.

The iologack setting enables a log host to send an acknowledgement to the submit host after the log host writes each I/O log data segment. Using this setting can prevent data integrity problems and prevent the submit host from hanging when there are network interruptions or if the log host becomes unavailable during an I/O logging session. However, enabling acknowledgements can increase network traffic and degrade system performance.

The submit host waits for acknowledgement for a period of time that is determined by the logserverprotocoltimeout setting. If logserverprotocoltimeout is set to a value other than -1, then the timeout period is 10 seconds. Otherwise, the timeout period is the value of logserverprotocoltimeout.

For acknowledgements to be sent, the iologack setting on the submit host and the log host must both be set to yes.

iologack yes
iologack no
  • Submit hosts
  • Log hosts

For more information, please see .

passwordlogging

  • Version 4.0.0 and later: passwordlogging setting available.

It might be desirable to control whether passwords can be logged to a greater extent than using the variable lognopassword alone. Setting passwordlogging to never suppresses all text portions of the input stream that are not echoed in the output stream. This action also sets the configuration policy language variable lognopassword to never and makes it read-only.

  • allow
  • never
passwordlogging allow
passwordlogging never
  • Policy server hosts
  • Run hosts
  • Submit hosts

For more information about the lognopassword variable, please see the Privilege Management for Unix and Linux Policy Language Guide.

rootshelldefaultiolog

  • Version 4.0.0 and later: rootshelldefaultiolog setting available.

When root runs a Privilege Management for Unix and Linux shell (for example, pbsh or pbksh), and a policy server daemon cannot be reached, that shell records an I/O log for the root session. Because no policy server can be reached, rootshelldefaultiolog provides a default emergency I/O log. If the file name is not unique, then Privilege Management for Unix and Linux adds a unique 6-character suffix to the name.

rootshelldefaultiolog /var/logs/root.default.iolog
rootshelldefaultiolog /pbshell.iolog

Submit hosts by pbksh and pbsh when a policy server host is not available.

logreservedfilesystems and logreservedblocks

  • Version 4.0.0 and later: logreservedfilesystems and logreservedblocks settings available.

The logreservedfilesystems and logreservedblocks settings enable the administrator to control free space on the logreservedfilesystems file systems, and cause an immediate failover if the log host’s free space falls below logreservedblocks.

If the number of free 1KB blocks falls below logreservedblocks on any of the file systems that are specified in any of the logreservedfilesystems on the log host, then the log daemon immediately refuses any new requests, causing an immediate failover. The same happens on the policy server host if you are not using a log server.

If the free space in any of the file systems containing /var/log or /usr/log falls below 10,000 blocks, then new requests are rejected. Requests that are already in progress are allowed to continue.

logreservedfilesystems /var /usr/log
logreservedblocks 2000
logreservedblocks 0

No default value for logreservedfilesystems.

  • Log hosts
  • Policy server hosts if a log host is not used

Customized Syslog Formatting

For syslog logging, you can specify the format and select specific fields to be written to the syslog file for accept, reject, and session syslog messages. This feature simplifies integration with Security Information and Event Management (SIEM) systems that typically rely on the standard syslog format to aggregate event data across many different devices. The settings in this section enable and configure this feature.

For all of these settings, the argument is either none or a text string that includes references to event log variables. If the argument is none, then the corresponding event record is not written to the syslog file. This feature enables you to use the syslog() procedure in the policy without sending duplicate records to the syslog files. If the setting is not included in the pb.settings file, then Privilege Management for Unix and Linux performs syslog logging with hard-coded accept, reject, and session messages.

The syslog logging feature must be enabled for customized syslog formatting to work. For more information, please see the following to enable syslog logging:

To define a string to write to the syslog file, the entire text string must be enclosed in double quotation marks ("). An event log variable must be enclosed in percent character (%). A literal percent or double quotation mark character must be preceded by a back slash (\" and \%, for example). A particular item in a list variable can be referenced with the index number for that list (%argv[1]%, for example).

This feature extends to one level of lists only; multi-level lists are not handled.

When an event that is recognized by one of these settings occurs, the text string is written to the syslog file, and the event log variable references are replaced with the values of those variables for that event. A variable reference that is not recognized is replaced with the string <variable_name:undefined> (<variable_name [n]:undefined> for unrecognized or nonexistent list items).

Customized Syslog Formatting messages over 1,024 characters are truncated.

When Privilege Management is installed, if a previous pb.settings file exists without the customized syslog formatting settings specified, then Privilege Management adds sample customized syslog formatting settings as comments. You can uncomment and remove the string SAMPLE, and then modify these sample settings.

For a list of event log variables, please see the Privilege Management for Unix and Linux Language Guide.

syslog_accept_format

  • Version 6.2 and earlier: syslog_accept_format setting not available.
  • Version 7.0 and later: syslog_accept_format setting available.

The syslog_accept_format setting defines the format of the record to be written to the syslog file for accept events.

syslog_accept_format "Privilege Management for Unix and Linux Master accepted
%command% on %date% at %hour%:%minute%. The command was submitted by 
%user% on %submithost% and run by %runuser% on %runhost%"

No default value

Policy server hosts

syslog_reject_format

  • Version 6.2 and earlier: syslog_reject_format setting not available.
  • Version 7.0 and later: syslog_reject_format setting available.

The syslog_reject_format setting defines the format of the record to be written to the syslog file for reject events.

syslog_reject_format "Privilege Management for Unix and Linux Master reject %command% on %date% at %hour%:%minute%. The command was submitted by %user% on %submithost%"

No default value

Policy server hosts

syslogsession_start_format

  • Version 6.2 and earlier: syslogsession_start_format setting not available.
  • Version 7.0 and later: syslogsession_start_format setting available.

The syslogsession_start_format setting defines the format of the record to be written to the syslog file for session start events.

syslog_accept_format "Privilege Management for Unix and Linux session started on
%date% at %hour%:%minute%. The session was started by %user%"

No default value

Run hosts

syslogsession_start_fail_format

  • Version 6.2 and earlier: syslogsession_start_fail_format setting not available.
  • Version 7.0 and later: syslogsession_start_fail_format setting available.

The syslogsession_start_fail_format setting defines the format of the record to be written to the syslog file for session failed to start events.

syslogsession_start_fail_format "Privilege Management for Unix and Linux session failed to start on %date% at %hour%:%minute%. User %user% attempted to start this session."

No default value

Run hosts

syslogsession_finished_format

  • Version 6.2 and earlier: syslogsession_finished_format setting not available.
  • Version 7.0 and later: syslogsession_finished_format setting available.

The syslogsession_finished_format setting defines the format of the record to be written to the syslog file for session finished events.

syslogsession_finished_format "Privilege Management for Unix and Linux session finished on %date% at %hour%:%minute%. The session was started by %user%"

No default value

Run hosts

syslogsession_finished_format_logserver

  • Version 10.0.1 and later: syslogsession_finished_format_logserver setting available.

The syslogsession_finished_format_logserver setting defines the format of the record to be written to the syslog file for Finish events, from the log server.

syslogsession_finished_format "Task: '%runcommand%' finished at %exitdate% %exittime% as %runuser% on %runhost% with status %exitstatus%"

No default value

Log servers