Audit

From the Audit page, you can access:

• Unified Search: Search for Endpoint Privilege Management for Unix and Linux (EPM-UL), Active Directory Bridge (AD Bridge), and BeyondInsight for Unix & Linux (BIUL) events
• PMUL Events: View and download EPM-UL event logs
• Console Audit: View activity within the EPM-UL console
• Session Replay: View, replay, and audit EPM-UL session replays

ℹ️

Note

• As of EPM-UL version 10.3, event log information is retrieved from databases. Previous versions of EPM-UL support log files.
• A minimum version of EPM-UL 10.0 is required to view log contents. In earlier versions, the log must be downloaded to view.

Unified search

The unified search gathers log files from EPM-UL, Active Directory Bridge (AD Bridge), and BIUL. You can then search from a single line for EPM-UL, AD Bridge, and BIUL events, simultaneously.

⚠️

Important

Currently, Elasticsearch is the only supported SIEM. This section will only be available if there is a configured and working connection to Elasticsearch.

To search:

1. From the sidebar menu, select Audit > Unified Search.
2. Enter a search query to display the list of events. Search options include:
   • Fuzzy / partials matches: Default. Searching for tree, for example, returns results with tree and pinetree.
   • Exact matches: Use double quotes. Searching for “sudo”, for example, and results only contain sudo.
   • Logical AND: Results must have both values, as in sudo AND emacs.
   • Logical OR: Results may contain either value, as in sudo OR emacs.
   • Logical NOT: Results will exclude value, as in sudo NOT visudo.
   • Operator precedence: Using brackets, as in (sudo AND emacs) or (sudo AND vi).
   • Date and time options: Use these to set ranges, including some defaults, and the ability to set begin and end times.

ℹ️

Note

When writing your query, you do not need to capitalize the logical operators (and, or, not).

1. Click Search.

ℹ️

Note

You can also just click Search, without entering any criteria. Unified Search has default criteria that return all available events.

2. To view the results, click the Endpoint Privilege Management for Unix and Linux, AD Bridge, or BeyondInsight for Unix & Linux button. Click to toggle a selection on or off. The result count appears at the bottom right of the grid (as number of items). At the bottom of the grid, you can also find the page count, along with the page navigation icons.
3. For full event details, click on a row. The Event Details panel displays on the right.

ℹ️

Note

When you choose which event search columns to display in the grid, select the Session Replay option (see below). This way, when looking at the events list, you see an icon in the column that indicates that a recorded session exists. When you open the Event Details panel, you see the Session Replay button.

Replay sessions from the events details panel

Events that are associated with IO Logs provide links to the Session Replay player. To play the file, in the Events Details panel, click the Session Replay button. Optionally, you can enter a Comment and set the Audit Status, and then click Save.

Choose event search columns to display

You can choose which columns to display in the grid.

To select which columns to display, at the top-right of the grid, click the Choose Columns to Display icon and select one or more columns to display.

The columns appear from left to right in the grid, in the order that you select them.

Download the results data

You can download the results data as a JSON or CSV file. To download a results file:

1. After you perform a search, click the Endpoint Privilege Management for Unix and Linux, AD Bridge, or BeyondInsight for Unix & Linux results button. Click to toggle a selection on or off.
2. At the right, click the Download icon, and then select JSON File or CSV File. The file downloads to your Download folder.

View EPM-UL events

1. From the sidebar menu, select Audit > PMUL Events.
2. Find the host name in the list. Use the Hostname, IP Address, and Tags filters to refine the list of results displayed.
3. At the far right of the server entry row, click the arrow.
4. On the Event Log page, click the Event Source dropdown menu and select the log you want to view.
5. For full event details, click on a row. The Event Details panel is displayed on the right. Use the Filter event keys field to refine the list of results displayed.
6. To close the Event Details panel, click the X icon.

View console audit activities

You can view user session information, such as user name, user ID, timestamp, user roles, and request URL.

1. From the sidebar menu, select Audit > Console Audit.
2. On the Console Audit page, use the filters to refine the list of user sessions displayed.
3. At the far right of the session row, click the arrow.
4. On the Session Details page, view more information, such as user name, user roles, HTTP method, and URL. Use the filters at the top of the columns to refine the list of results displayed.
5. For full event details, click on a row. The Request Details panel is displayed on the right.
6. To close the Request Details panel, click the X icon.

Replay sessions in BIUL

Using session replay, you can view and replay I/O logs.

Enable session recording in script policy mode

ℹ️

Note

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.

⚠️

Important

To turn on session recording, Solr must have been installed using BeyondInsight for Unix & Linux and log servers must have been assigned to a Solr server.

To turn on session recording in script-based policy mode:

1. From the sidebar menu, select Policy.
2. In the Hostname list, select a server entry, and then at the far right, click the ellipsis menu icon and select EPM-UL Policy.
3. Select a script policy file to edit. The file is displayed in an editor.
4. Click the Session Replay Path button from the toolbar.
5. Enter a Base Path for the log file.
6. (Optional). In the Filename Options area, use the variables to build a file path and name for the session to be written to. Select from the suggested variables to add unique properties to the path or file name.
7. (Optional). In the Session Replay Options area, use the variables to generate a command history list in the replay viewer. Select from the following: Include Command History, Display Warnings, and Limit Size. If you create an Advanced Control and Audit (ACA) statement, you can add command history to the statement.
8. Click the Insert Location option to add the logs to the script policy file.
9. Click Save in the editor to save the script policy file.

Enable session recording in role-based policy mode

ℹ️

Note

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.

⚠️

Important

To turn on session recording, Solr must have been installed using BeyondInsight for Unix & Linux and log servers must have been assigned to a Solr server.

To turn on session recording in role-based policy mode:

1. From the sidebar menu, select Policy.
2. In the Hostname list, select a server entry, and then at the far right, click the vertical ellipsis menu icon and select EPM-UL Policy.
3. Click the Roles tile.
4. On the Roles page, select a role entry, then at the far right, click the vertical ellipsis menu icon and select Edit Role.
5. On the Edit Role page, select Session Replay.
6. Enter a Base Path for the log file.
7. (Optional). In the Path Options area, use the variables to build a file path and name for the session to be written to. Select from the suggested variables to add unique properties to the path or file name.
8. Click Save.

Play a recorded session

To play an I/O log session:

1. From the sidebar menu, select Audit > Session Replay.
2. Find the host name in the list. Use the Hostname, IP Address, and Tags filters to refine the list of results displayed.
3. At the far right of the server entry row, click the arrow.
4. On the Sessions page, logs indexed by BIUL are displayed. As necessary, use filters and Search to locate a log. Click on an entry to display activity and user feedback.
5. Select the Playback icon to start the log player.
6. On the Session Replay page, select one of the following modes:
   • File: File displays the contents of an I/O log immediately.
   • Playback: Replays the I/O log in real time as the events occurred, so an administrator can view what the user entered.
7. On the Session Replay page, you can play, pause, stop, set the speed of the session, zoom in and out, and use full screen.
8. If ACA policy is enabled and configured, a command history is displayed, allowing you to navigate to specific events in an I/O log. The command history indicates if the ACA status is allowed or rejected.
9. Optionally, enter a Comment and Audit Status on a log. For example, you can enter a comment or set a flag to provide warnings of a problem or to approve the content. Click Save.

View entitlement reports

EPM-UL hosts running version 10.1 and later in Role-based policy mode can take advantage of entitlement reports to discover who is able to do what, where, and when.

Turn on Entitlement reporting when you configure a role-based policy. Entitlement reporting can be enabled per policy or for all role-based policies.

To view Entitlement reports:

1. Go to the Policy page.
2. Find the host name in the list. Use the Hostname, IP Address, and Tags filters to refine the list of results displayed.
3. At the far right of the server entry row, click the vertical ellipsis menu, and then select PMUL Policy.
4. Click the View Entitlement Report tile.
5. To change the report details displayed, use the Report Level, Run Host, Run User, Submit User, Submit Host, and Command filters. Report levels provide varying levels of detail, with higher numbers providing more details.