I/O Log Indexing and Searching

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.

In a BeyondInsight integrated environment, using Solr servers, each log server and policy server host can communicate with a Solr server, submitting EPM-UL I/O log output data for indexing.

BeyondInsight provides a search GUI, allowing users to search indexed I/O logs.

For more information about enabling this feature, see BeyondInsight I/O Log Indexing and Searching.

iologack

Version 6.0 and earlier: iologack setting not available.
Version 6.2.5 and later: iologack setting available.

The iologack setting enables a log host to send an acknowledgement to the submit host after the log host writes each I/O log data segment. Using this setting can prevent data integrity problems and prevent the submit host from hanging when there are network interruptions or if the log host becomes unavailable during an I/O logging session. However, enabling acknowledgements can increase network traffic and degrade system performance.

The submit host waits for acknowledgement for a period of time that is determined by the logserverprotocoltimeout setting. If logserverprotocoltimeout is set to a value other than -1, then the timeout period is 10 seconds. Otherwise, the timeout period is the value of logserverprotocoltimeout.

For acknowledgements to be sent, the iologack setting on the submit host and the log host must both be set to yes.

iologack yes

Default

iologack no

Used on

Submit hosts
Log hosts

passwordlogging

Version 4.0.0 and later: passwordlogging setting available.

It might be desirable to control whether passwords can be logged to a greater extent than using the variable lognopassword alone. Setting passwordlogging to never suppresses all text portions of the input stream that are not echoed in the output stream. This action also sets the configuration policy language variable lognopassword to never and makes it read-only.

Valid Values

allow
never

passwordlogging allow

Default

passwordlogging never

Used on

Policy server hosts
Run hosts
Submit hosts

For more information about the lognopassword variable, see the Endpoint Privilege Management for Unix and Linux Policy Language Guide.

rootshelldefaultiolog

Version 4.0.0 and later: rootshelldefaultiolog setting available.

When root runs an EPM-UL shell (for example, pbsh or pbksh), and a policy server daemon cannot be reached, that shell records an I/O log for the root session. Because no policy server can be reached, rootshelldefaultiolog provides a default emergency I/O log. If the file name is not unique, then EPM-UL adds a unique 6-character suffix to the name.

rootshelldefaultiolog /var/logs/root.default.iolog

Default

rootshelldefaultiolog /pbshell.iolog

Used on

Submit hosts by pbksh and pbsh when a policy server host is not available.

logreservedfilesystems and logreservedblocks

Version 4.0.0 and later: logreservedfilesystems and logreservedblocks settings available.

The logreservedfilesystems and logreservedblocks settings enable the administrator to control free space on the logreservedfilesystems file systems, and cause an immediate failover if the log host’s free space falls below logreservedblocks.

If the number of free 1KB blocks falls below logreservedblocks on any of the file systems that are specified in any of the logreservedfilesystems on the log host, then the log daemon immediately refuses any new requests, causing an immediate failover. The same happens on the policy server host if you are not using a log server.

If the free space in any of the file systems containing /var/log or /usr/log falls below 10,000 blocks, then new requests are rejected. Requests that are already in progress are allowed to continue.

logreservedfilesystems /var /usr/log
logreservedblocks 2000

Default

logreservedblocks 0

No default value for logreservedfilesystems.

Used on

Log hosts
Policy server hosts if a log host is not used

Customized Syslog Formatting

For syslog logging, you can specify the format and select specific fields to be written to the syslog file for accept, reject, and session syslog messages. This feature simplifies integration with Security Information and Event Management (SIEM) systems that typically rely on the standard syslog format to aggregate event data across many different devices. The settings in this section enable and configure this feature.

For all of these settings, the argument is either none or a text string that includes references to event log variables. If the argument is none, then the corresponding event record is not written to the syslog file. This feature enables you to use the syslog() procedure in the policy without sending duplicate records to the syslog files. If the setting is not included in the pb.settings file, then EPM-UL performs syslog logging with hard-coded accept, reject, and session messages.

The syslog logging feature must be enabled for customized syslog formatting to work. For more information, see the following to enable syslog logging:

syslog
facility
syslogsessions
(-a and -r options) at pbmasterd
(-a and -r options) at pblogd
(-a option) at pblocald

To define a string to write to the syslog file, the entire text string must be enclosed in double quotation marks ("). An event log variable must be enclosed in percent character (%). A literal percent or double quotation mark character must be preceded by a back slash (\" and \%, for example). A particular item in a list variable can be referenced with the index number for that list (%argv[1]%, for example).

This feature extends to one level of lists only; multi-level lists are not handled.

When an event that is recognized by one of these settings occurs, the text string is written to the syslog file, and the event log variable references are replaced with the values of those variables for that event. A variable reference that is not recognized is replaced with the string <variable_name:undefined> (<variable_name [n]:undefined> for unrecognized or nonexistent list items).

Customized Syslog Formatting messages over 1,024 characters are truncated.

When Endpoint Privilege Management is installed, if a previous pb.settings file exists without the customized syslog formatting settings specified, then Endpoint Privilege Management adds sample customized syslog formatting settings as comments. You can uncomment and remove the string SAMPLE, and then modify these sample settings.

For a list of event log variables, see the Endpoint Privilege Management for Unix and Linux Language Guide.

syslog_accept_format

Version 6.2 and earlier: syslog_accept_format setting not available.
Version 7.0 and later: syslog_accept_format setting available.

The syslog_accept_format setting defines the format of the record to be written to the syslog file for accept events.

syslog_accept_format "Endpoint Privilege Management for Unix and Linux Master accepted
%command% on %date% at %hour%:%minute%. The command was submitted by 
%user% on %submithost% and run by %runuser% on %runhost%"

Default

No default value

Used On

Policy server hosts

syslog_reject_format

Version 6.2 and earlier: syslog_reject_format setting not available.
Version 7.0 and later: syslog_reject_format setting available.

The syslog_reject_format setting defines the format of the record to be written to the syslog file for reject events.

syslog_reject_format "Endpoint Privilege Management for Unix and Linux Master reject %command% on %date% at %hour%:%minute%. The command was submitted by %user% on %submithost%"

Default

No default value

Used On

Policy server hosts

syslogsession_start_format

Version 6.2 and earlier: syslogsession_start_format setting not available.
Version 7.0 and later: syslogsession_start_format setting available.

The syslogsession_start_format setting defines the format of the record to be written to the syslog file for session start events.

syslog_accept_format "Endpoint Privilege Management for Unix and Linux session started on
%date% at %hour%:%minute%. The session was started by %user%"

Default

No default value

Used On

Run hosts

syslogsession_start_fail_format

Version 6.2 and earlier: syslogsession_start_fail_format setting not available.
Version 7.0 and later: syslogsession_start_fail_format setting available.

The syslogsession_start_fail_format setting defines the format of the record to be written to the syslog file for session failed to start events.

syslogsession_start_fail_format "Endpoint Privilege Management for Unix and Linux session failed to start on %date% at %hour%:%minute%. User %user% attempted to start this session."

Default

No default value

Used On

Run hosts

syslogsession_finished_format

Version 6.2 and earlier: syslogsession_finished_format setting not available.
Version 7.0 and later: syslogsession_finished_format setting available.

The syslogsession_finished_format setting defines the format of the record to be written to the syslog file for session finished events.

syslogsession_finished_format "Endpoint Privilege Management for Unix and Linux session finished on %date% at %hour%:%minute%. The session was started by %user%"

Default

No default value

Used On

Run hosts

syslogsession_finished_format_logserver

Version 10.0.1 and later: syslogsession_finished_format_logserver setting available.

The syslogsession_finished_format_logserver setting defines the format of the record to be written to the syslog file for Finish events, from the log server.

syslogsession_finished_format "Task: '%runcommand%' finished at %exitdate% %exittime% as %runuser% on %runhost% with status %exitstatus%"

Default

No default value

Used On

Log servers