iologcloseaction

Description

iologcloseaction() is used to specify a program to be executed on the log server (or policy server, if no log server ) when an iolog is closed.

This can be used, for example, to execute scripts that can send IOlog or ACA data to Splunk or other systems. When Endpoint Privilege Management for Unix and Linux is installed, an example Perl script called closeactionsplunk.pl, that sends ACA data from the IOlog to Splunk is installed in /opt/pbul/scripts.

Note that unlike the iologcloseactionrunhost() procedure, this does not include the ability to specify runuser, runcwd, environment, timeout, or command line arguments.

IOLogs with a closeaction specified, or when Solr is used, are placed in a queue, rather than acted upon immediately.

pbconfigd monitors the queue and launches pbreplay to handle both Solr and iologcloseaction activity.

Syntax

iologcloseaction( command );

Arguments

command

Required string specifying the /full/path/to/external/program.

The syntax for the script or program must be /path/to/external/program /path/to/iolog.log.

The program should exit 0 if successful, should exit 255 (or -1) to have Endpoint Privilege Management for Unix and Linux log that the script failed, and should exit 254 (-2) to have Endpoint Privilege Management for Unix and Linux requeue the item and have the queue mechanism pause. This can be used, for example, to indicate that a destination host is not reachable, and additional closeaction activity should not take place immediately.

iologcloseaction("/opt/pbul/scripts/closeactionsplunk.pl");

For more information, please see the following: