Session Logging in Endpoint Privilege Management for Unix and Linux

Session Logging

EPM-UL records the start of all commands and the finish of all commands not run in local mode. The session start and finish events can also be logged by using the following:

System wtmp or wtmpx files (recordunixptysessions)
Syslog system (syslogsessions)
PAM system (pamsessionservice)

recordunixptysessions

Version 3.5 and earlier: recordunixptysessions setting not available.
Version 4.0 and later: recordunixptysessions setting available.

The recordunixptysessions setting controls whether command start and finish events are logged to the run host utmp or utmpx files. When set to yes, the events are logged.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

recordunixptysessions no

Default

recordunixptysessions yes

Used on

Run hosts

If you are using pamsessionservice, then you might need to set recordunixptysystems to no to avoid duplicate entries in your utmp or utmpx files.

When the login shell is an Endpoint Privilege Management shell and I/O logging is on, an additional pty is created, which is logged in the run host’s utmp log. Note that the ut_host field is set to the run host value, not the remote host, because this pty originated on the run host.

syslogsessions

Version 4.0.0 and later: syslogsessions setting available.

The syslogsessions setting controls whether command start and finish events are logged to the run host syslog system. When set to yes, the events are logged.

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

syslogsessions yes

Default

syslogsessions no

Used on

Run hosts

If you are using pamsessionservice, then you might need to set syslogsessions to no to avoid duplicate syslog entries.