Log Server for Sudo Manager

Sudo Manager employs one or more log servers to centrally store and manage audit data. Establishing dedicated central log servers with data encryption capabilities and keeping them separate from hosts where privileged users run daily tasks assures the integrity of your audit trail. Sudo Manager hosts identify their log servers by the logservers keyword in the product settings file /etc/pbsudo.settings.

After the Sudo Manager plugin processes a sudo command on the target host and produces either an accept or reject, it securely transmits the event log records directly to the log server for writing.

The event log files may be encrypted for added security.

When an Sudo Manager log server cannot be reached, the sudo event logging mechanism is used.

With the event logs stored on the Sudo Manager log server, you can take advantage of the rich features that comes with the product.

• Integrate with Splunk
• Forward accept/reject events to BeyondInsight, if integrated, and have access to additional log reporting and analysis tools.
• Integration with ElasticSearch/LogStash

Install Log Server for Sudo Manager

The log server is installed using the pbinstall program.

When you run pbinstall, answer yes to the install menu:

Install Log Host?

For more information, see the EPM-UL Installation Guide.