pbdbutil, pbadmin | EPM-UL
- Version 8.5.0 and earlier: pbdbutil not available.
- Version 9.0.0 and later: pbdbutil available.
Starting with version 9, EPM-UL uses database files for the storage of all the normal configuration files and scripts, plus data storage for a range of new facilities. The utility pbdbutil provides a command line tool to maintain all of these databases.
Due to the evolving nature of the pbdbutil command, the name changed to pbadmin. To assist in the transition a symbolic link called pbadmin is now automatically created for your convenience.
The command has global options that are used to carry out maintenance tasks on all databases, and more specific options that allow maintenance of specified databases. Each group of database options have their own usage/help.
Usage
pbdbutil [<options>] [ <file> <file> ...]Global options
| -y | Use cached credentials for remote functionality. |
| -c <files(s)> | Perform database integrity check. |
| -K <newkeypath> <file(s)> | (Re)encrypt the database. |
| -O <oldkeypath> | Specify the old database key file. |
| -C | Output in CSV format instead of JSON. |
| -P | Pretty print JSON output. |
Authentication options
| --auth <options...> | Various authentication options. |
| -h | Help on authentication options. |
Info options
| --info <options...> | Various information options. |
| -h | Help on info options. |
License maintenance and statistics options
| --lic <options...> | License Maintenance and Statistics options. |
| -h | Help on License Maintenance and Statistics options. |
Setting/Configuration/Key options
| --cfg <options...> | Specify setting/config options. |
| -h | Help on Setting/Configuration options. |
Role based policy options
| --rbp <options...> | Role Based Policy options. |
| -h | Help on Role Based Policy options. |
Client registration profile options
| --reg <options...> | Client Registration options. |
| -h | Help on Client Registration options. |
Management event options
| --evt <options...> | Event options. |
| -h | Help on Management Event options. |
REST keystore options
| --rest <options...> | REST keystore options. |
| -h | Help on Management REST keystore options. |
Sudo policy database options
| --sudo <options...> | Sudo database options. |
| -h | Help on Management sudo database options. |
Registry name service database options
| --svc <options...> | Registry Name Service database options. |
Database synchronization options
| --dbsync <options...> | Database Synchronization options. |
Registry name service cache options
| --scache <options...> | Registry Name Service cache options. |
File integrity monitor options
| --fim <options...> | File integrity monitor options. |
Event log cache options
| --evtcache <options...> | Event Log Cache options. |
| -h | Help on Event Log Cache options. |
IO log cache options
| --iocache <options...> | IO Log Cache options. |
| -h | Help on IO Log Cache options. |
IO log queue options
| --iologidx <options...> | IO Log Queue options. |
| -h | Help on IO Log Queue options. |
Integrated product options
| --intprod <options...> | Integrated Product options. |
| -h | Help on Integrated Product options. |
Write queue status options
| --wqstatus <options...> | Write queue status options. |
| -h | Help on Write Queue Status options. |
Global options
| Command | Description |
|---|---|
| --check <file(s)...> | Do an integrity check on the specified files. If the database(s) are encrypted, it attempts to read the file using the database key specified in the pb.settings file. |
| <-c|--csv> | By default, all output messages and data are in JSON format. This option specifies output in Comma Separated Values. |
| <-p|--pretty> | When outputting data in JSON, pretty prints the data in a more human-readable form. |
| <-K|--newkeypath> [<-O|--oldkeypath>] [<file(s)...>] | Reencrypt database file(s) using the specified new key. If the old key path is not supplied, it attempts to open the database file with the key specified in pb.settings file. |
Setting/Configuration options
These options provide methods to import, maintain and export the settings, configuration and key files that were traditionally kept in files in EPM-UL. These files can now be imported into a database which provide versioning and change management, methods to retrieve, update, and save settings and configuration across the enterprise in a secure manner using the EPM-UL REST services.
These options need to be specified after the --cfg option.
Usage
pbdbutil --cfg [<options>] [ <file> <file> ...]| Command/Option | Description |
|---|---|
| --reinit | Reinit/upgrade the database. |
| -u <setting> <arg>[ <argN>] | Set the specified setting in the current settings file. |
| -o <file> | Set the specified setting in the specified settings file. |
| -u '{"<setting>":"<val>",...}' | Set the specified setting using JSON format. |
| --verify [<file>] | Verify the current or specified settings file. |
| --verify '{"<setting>":"<val>",...}' | Verify the specified settings using JSON format. |
| -g <setting> | Get the specified setting from the current settings file. |
| -o <file> | Get the specified setting from the specified settings file. |
| --value | Display the value of the variable only. |
| --default | Display the default value of the variable only (not the value in pb.settings, but the default when not defined or commented out). |
| -g '["<setting1>",["<settingN>"]]' | Get the specified setting(s) using JSON format. |
| -d <setting> | Delete the specified setting in the current settings file. |
| -o <file> | Delete the specified setting in the specified settings file. |
| -d '["<setting1>",["<settingN>"]]' | Delete the specified setting(s) using JSON format. |
| -i [<file(s)>] | Import/update all or specified .cfg file(s) in the database. |
| -m <msg> | Specify message. Required when change management enabled. |
| -N | Do not rename file on import. |
| -e [<files(s)>] | Export all or specified .cfg file(s) in the database. |
| -e -o <outfile> <file> | Export .cfg file from database and output to new file name. |
| --force | Force the overwrite of the output file when exporting. |
| --lock | Lock/checkout the exported file in the database when exporting. |
| -V <ver|tag> | Used with export .cfg file, but export given version or tag. |
| -D [<file(s)>] | Diff all/specified file(s) with current exported file(s). |
| -V <from:to> | Specify from/to versions to diff. |
| -V <ver|tag> | Specify version or tag to diff. |
| -r <files(s)> | Mark specified .cfg file(s) deleted in the database. |
| -l | List active .cfg files in the database. |
| -l | List all .cfg files in the database. |
| -l | List .cfg files and their current versions in the database. |
| -s <[-+]attribute> | Sort the list of records by attribute (asc/desc). |
| -l <file(s)> | List version information of .cfg file(s) in the database. |
| -t <tag> [<file(s)>] | Tag .cfg file(s) in the database at current version. |
| -x <tag> [<file(s)>] | Delete tag from .cfg file(s) in the database. |
| -k <encryption> <file(s)> | Encrypt .cfg file(s) in the database. |
| n [--force] <file(s)> | Create new key file(s) in the database. |
| -K <files(s)> | Lock .cfg files in the database. |
| -U | Force unlock of locked cfg files in the database. |
| -A <file> <svcgname> <...> | Set file as being automatically synchronized within Service Group. |
| -X <file> <svcgname> <...> | Unset file as being automatically synchronized within Service Group. |
| **-L** | List synchronization configuration for cfg files in the database. |
| -u <setting> <arg>[ <argN>] | Set the setting in the current settings file. |
Descriptions
| <-i|--import> <-m|--msg> <message> [<file(s)...>] | Import specified settings, configuration or key files into the /etc/pb.db database. If Change Management is enabled, a message must be supplied to log in the audit event database. If no files are specified on the command line, all files that already exist in the database are checked and imported if required. |
| <-e|--export> [-f] [<file (s)...>] <-e|--export> [-f] <-V|-- version> <num|tag> [<file (s)...>] <-e|--export> [-f] <-o|-- output> <outfile> <file> <-e|--export> [-f] <-V|--version> <num|tag> <-o|-- output> <outfile> <file> | Export specified settings, configuration or key file(s) from the /etc/pb.db database. If no files are specified on the command line, all files that exist in the database are exported. Specific versions or tagged groups of files can be exported. If the output file(s) already exist the -f parameter must be applied to force the overwrite of the existing file. |
| <-l|--list> | List all the current files held in the /etc/pb.db database. |
| <-l|--list> [-j] [<file (s)...>] | List all the versions of specified files held in the /etc/pb.db database. By default this is displayed in .csv, but can be displayed in JSON using the -j option. Specify a tag for current versions of files that exist in the /etc/pb.db database. These files can then be exported as a tagged group to facilitate change sets of files. |
| <-t|--tag> <tag text> [<file (s)...>] | Specify a tag for current versions of files that exist in the /etc/pb.db database. These files can then be exported as a tagged group to facilitate change sets of files. If file names are not specified, all current versions are added to the tagged group. |
| <-d|--deltag> <tag text> [<file(s)...>] | Remove the tag from files specified. If file names are not specified, the tag is removed from all files that exist in the /etc/pb.db database. |
| <-k|--encrypt> <algorithm> [<file(s)...>] | Encrypt existing setting/configuration files in the /etc/pb.db database. |
| <-n|--newkey> [<file(s)...>] | Create a new key file in the /etc/pb.db database. |
License management options
These options are not available on EPM-L clients.
As of version 10.0, License Management is centralized and can be carried out on the primary license server using the command pbadmin.
This command line administration tool provides methods to update the license string, to list summary statistics and to retire clients to free up licenses.
All of the commands that list statistics can be run from any server that provides a service. All commands that update the database, such as updating the license itself or retiring clients, should be run on the primary license server:
Example
pbadmin --lic -u '{ "PBULPolClnts":200, "SudoPolClnts":200, "RBPClnts":200, "ACAClnts":1, "AKAClnts":0, "FIMClnts":0, "SOLRClnts":1, "Owner":"My Company Corp", "Comment":"Standard License for My Company", "AutoRetire":7, "Recycle":7, "Expires":"2018-03-01 00:00:00", "Terminates":"2019-03-01 00:00:00", "HostId":"7faf7681-4d42-4b69-00bfdad93b4a3dfb", "HMAC":"UtGE3tD6qK2UwutY3GFOqodjdq30pEDAW2cKb5/OaMc="}'This command updates the installation with the license string provided by BeyondTrust to a standard license.
Usage
pbadmin --lic [<options>] ...| -u '{ param }' | Update primary license server license where the { param } argument is the supplied JSON formatted license. |
| -u <path> | Update primary license server license where <path> is the path to a file that contains the supplied JSON formatted license. |
| -G | Retrieve the license string and attributes. |
| -l [<wildcard>] [-l] | List client license usage summary. Supply an extra -l to detail service information. |
-l '{ … ["fqdn" : "<wildcard>",] | Alternatively specify a filter expression to list only those clients that match the filter. |
| -s <[-|+]attribute> | Use -s to sort the list of records by attribute name (asc/desc). |
| -L [<service>] [-L] | List client Service License Usage summary. Specify an extra -L to detail client information. |
| -r {"uuid" : "<uuid|wildcard>"} -r {"uuid" : ["<uuid|wildcard>", "uuid", ...]} -r {"fqdn" : "<fqdn|wildcard>"} -r {"fqdn" : ["<fqdn|wildcard>", "fqdn", ...]} --force | Retire client(s) by UUID or FQDN. Use --force to over-ride warning message. |
| -R | Immediately refresh the license statistics from the primary license server. |
| --wq <file> | The license write queue file includes the following records:
|
Sample commands
| pbadmin --lic -G | Retrieves the full license string, detailing the entitlements and expiry of the license. |
| pbadmin --lic -l | Lists all of the clients that are currently licensed throughout the installation. |
| pbadmin --lic -L | Lists the summary statistics referenced by the EPM-UL service type. |
| pbadmin --lic -l '{"retired": true}' | Lists all of the clients that are currently manually retired. |
| pbadmin --lic -l '{"fqdn" : "*.mydom.com"}' | Lists all of the clients that have been licensed are in the mydom.com domain. |
| pbadmin --lic -l '{"updated_older" : "2018-01-01"} | Lists all of the clients that were last updated before the 1st of January 2018. |
| pbadmin --lic -l '{"updated_older" : { "months" : 6 }}' | Lists all of the clients that were last updated 6 months or more ago. |
| pbadmin --lic -r '{"uuid" : "7faf7681-4d42-4b69-00bfdad93b4a3dfc"}' --force | Manually retires a client specified by its unique id. |
| pbadmin --lic -r '{"updated_older" : { "days" : 120 }}' --force | Manually retires all clients that have not been updated in the last 120 days. |
Authentication credential cache options
These options allow users of pbdbutil to cache credentials to facilitate working with remote services.
Usage
pbdbutil --auth [<options>] [ <file> <file> ...]Auth options
| --login {"appid":"<appid>","appkey":"<appkey"[,"svc":"<svc>"]} | Cache specified appid/appkey credential for authentication. |
| --logout [{"key":"<key>"[,"svc":"<svc>"]}] | Remove default or specified credential key from cache. |
| -l | List cached credentials. |
| -h | Help on auth options. |
Information options
These options provide various information about the current system configuration or status.
Usage
pbdbutil --info [<options>]Info options
| Option | Description |
|---|---|
--fqdn [<hostname>] | Get fully qualified name for this host or hostname. |
--sched | List Scheduler tasks. |
--uuid | Get the local host’s UUID. |
--msgs [--level=<number>] | Retrieve the Message Router statistics. Set --level=2 to include additional debugging information:- Head and tail of the chunks - Record count - Semaphore count |
--timewrites <0|1> | Log the time required to write the event to configured destinations. Results appear in pbrest.log.Set to 1 to enable debugging; set to 0 to disable. Use only briefly, as log entries accumulate quickly. |
--restsvr | Retrieve the REST Service statistics. |
-h | Help on info options. |
Role based policy options
These options are not available on EPM-L clients.
The Role Based Policy is held in multiple tables. Each table refers to an individual entity with attributes, and is referenced by unique entity ids. Each entity is then linked together into a role. When retrieving, updating, or deleting entities, either the name or id can be used. The command line utility pbdbutil with the option --rbp can be used to retrieve (-g), update (-u), or delete (-d) entities.
When updating, complete entities including all its attributes need to be defined. The REST API uses the same JSON format and parameters, and use GET, PUT and DELETE respectively. There are also a number pseudo-attributes that allow the retrieval of lists based upon the parent grouping, these are:
- usergrpname: list User Lists which correspond to the specified User Group
- hostgrpname: list Host Lists which correspond to the specified Host Group
- cmdgrpname: list Command Lists which correspond to the specified Command Group
- tmdategrpname: list Time/Date Lists which correspond to the specified Time/Date Group
- rolename: list all lists which correspond to the specified Role Group
Usage
pbdbutil --rbp [<options>] [ <file> <file> ...]| -b -m <msg> | Begin Role Based Policy change transaction |
| -c | Commit Role Based Policy change transaction |
| -r | Rollback Role Based Policy change transaction |
| --force -m <msg> | Force Rollback of other users change transaction |
| -i <file> | Import Role Based Policy file in the database |
| -e -o <outfile> | Export Role Based Policy from database and output to file |
| -V <ver> | Used with export, but export specified version |
| -g { json param } | Get Role Based Policy database records |
| -u { json param } | Update Role Based Policy database records |
| -m <msg> | Specify message - required when change management enabled. |
| -d { json param } | Delete Role Based Policy database records |
| --force | Force deletion of dependent records in the database |
| -m <msg> | Specify message - required when change management enabled. |
| -n | Create new Role Based Policy database |
| -R { json param } | Report user entitlements from the database |
| -R | Add option to display commands |
| -R | Add option to display time/date restrictions |
| -R | Add option to display additional role options |
| -E { json param } | List user entitlements data from the database where { json param } is one or more of: "submituser" : "user1" Specify submit user or wildcard "submithost" : "host1" Specify submit host or wildcard "runuser" : "user1" Specify run user or wildcard "runhost" : "host1" Specify run host or wildcard "command" : "command" Specify command or wildcard |
| -L | List all Role Based Policy policies in the database |
| -t <tag> | Limit list by tag wildcard |
| -l | List all Role Based Policy versions in the database |
Example
Sample use of the pbdutil --rbp when rbptransactions is set to yes.
pbdbutil --rbp -b -m "<message>"``pbdbutil --rbp -i <file>``pbdbutil --rbp -cExample
List all of the User Groups whose name matches ug*
pbdbutil --rbp -g '{ "usergrp" : { "name" : "ug*" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]Example
List the User Group whose id=1
pbdbutil -g '{ "usergrp" : { "id" : "1" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","ext info":null}]Record entities
usergrp, userlist, hostgrp, hostlist, cmdgrp, cmdlist, tmdategrp, tmdatelist, role, roleusers, roleghost, rolecmds, roletmdates
Entities can be listed by attributes name and id, and entity specific attribute names rolename, usergrpname, hostgrpname, cmdgrpname, tmdategrpname.
Example
-g '{ "role" : { "name" : "*" }} ' Display all Roles
-g '{ "usergrp" : { "name" : "n*" }}' Display all User Groups which match "n*"
-g '{ "userlist" : { "name" : "usergrp1" }} ' Display group membership for usergrp by name
-g '{ "roleusers" : { "rolename" : "role1" }}' Display list of usergrps assigned to role
-g '{ "rolehosts" : { "id" : 1 }} ' Display list of hostgrps assigned to role id 1Descriptions
| -b | This option is mandatory if the Role Based Policy transactions are enabled. Role Based Policy transactions are enabled when rbptransactions is set to yes. Before any changes can be made the administrator must begin the transaction with a suitable Change Management message. This transaction is then kept open until the same user commits or rolls back the transaction. The transaction is not visible by the live authorization process until it is committed. Available if the Role Based Policy Transactions are enabled. |
| -c | Commit the current open transaction making it live. |
| -r [ --force ] | Rollback the current open transaction, discarding any changes that have been made. Available if the Role Based Policy Transactions are enabled |
| -i <file> | Import Role Based Policy file in the database. |
| -e -o <outfile> [-V <ver>] | Export Role Based Policy from database and output to file. |
| -g { json param } | Retrieve and display attributes of the entities within the Role Based Policy database. |
| -u { json param } | Update entities and attributes within the Role Based Policy database. |
| -d { json param } | Delete entities within the Role Based Policy database. |
| -n | Create a new Role Based Policy database, as specified by the policydb keyword in the EPM-UL**/etc/pb.settings** configuration file. |
| -R { json param } | Report user entitlements from the database. |
| -R | Add option to display commands. |
| -R | Add option to display time/date restrictions. |
| -R | Add option to display additional role options. |
| -E { json param } | List user entitlements data from the database where { json param } is one or more of: "submituser" : "user1" Specify submit user or wildcard "submithost" : "host1" Specify submit host or wildcard "runuser" : "user1" Specify run user or wildcard "runhost" : "host1" Specify run host or wildcard "command" : "command" Specify command or wildcard |
| -L | List all Role Based Policy policies in the database |
| -l | List all Role Based Policy versions in the database |
User group examples
Retrieve list of User Groups that match ug*
-g '{ "usergrp" : { "name" : "ug*" }}'
[{"id":1,"ug1":"name","description":"desc","disabled":0,"single":0,"type":"I","extinf o":null}]Retrieve list of Users in the User Group ug1
-g '{ "userlist" : { "usergrpname" : "ug1" }}' [{"id":1,"user":"root"},{"id":1,"user":"adm*"}]Update User Group ug1 with new attributes
-u '{ "usergrp" : { "id":1,"name":"ug1","description":"new
description","disabled":0,"single":0,"type":"I","extinfo":null}}'Add new user to User Group ug1
-u '{ "userlist" : { "usergrpname":"ug1","user":"wheel"}}'Delete all users from User Group ug1
-d '{ "userlist" : { "usergrpname":"ug1"}}'Delete specified user from User Group ug1
-d '{ "userlist" : { "usergrpname":"ug1", "user" : "user1"}}'Host group examples
Retrieve list of Host Groups that match hg
-g '{ "hostgrp" : { "name" : "hg*" }}' [{"id":1,"hg1":"name","description":"desc","disabled":0,"type":"I","extinf o":null}]
Retrieve list of Hosts in the Host Group hg1
-g '{ "hostlist" : { "hostgrpname" : "hg1" }}' [{"id":1,"host":"host2"},{"id":1,"host":"*.dev.com"}]
Update Host Group hg1 with new attributes
-u '{ "hostgrp" : { "id":1,"name":"hg1","description":"new description","disabled":0,"type":"I","extinfo":null}}'
Add new host to Host Group hg1
-u '{ "hostlist" : { "hostgrpname":"hg1","host":"host5"}}'
Delete all hosts from Host Group hg1
-d '{ "hostlist" : { "hostgrpname":"hg1"}}'
Delete specified host from Host Group hg1
-d '{ "hostlist" : { "hostgrpname":"hg1", "host" : "host1"}}'
Command examples
Retrieve list of Command Groups that match cg*
-g '{ "cmdgrp" : { "name" : "cg*" }}'
[{"id":1,"cg1":"name","description":"desc","disabled":0}]Retrieve list of Commands in the Command Group cg1
-g '{ "cmdlist" : { "cmdgrpname" : "cg1" }}'
[{"id":1,"cmd":"rm *","rewrite":"echo $*"},{"id":1,"cmd":"/usr/bin/rm
*","rewrite":"echo $*"}]Update Command Group cg1 with new attributes
-u '{ "cmdgrp" : { "id":1,"name":"cg1","description":"new description","disabled":0}}'Add new command to Command Group cg1
-u '{ "cmdlist" : { "cmdgrpname":"cg1","cmd":"/bin/rm *","rewrite":"echo
$*"}}'Delete all commands from Command Group cg1
-d '{ "cmdlist" : { "cmdgrpname":"cg1"}}'Delete specified cmd from Command Group cg1
-d '{ "cmdlist" : { "cmdgrpname":"cg1", "cmd" : "rm *"}}'Time/Date examples
Retrieve list of Time/Date Groups that match td*
-g '{ "tmdategrp" : { "name" : "td*" }}'
[{"id":1,"td1":"name","description":"desc","disabled":0}]Retrieve list of Time/Dates in the Time/Date Group td1
-g '{ "tmdatelist" : { "tmdategrpname" : "td1" }}'
[{"id":1,"tmdate" : "{
"mon" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"tue" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"wed" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"thu" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"fri" : [0,0,0,0,0,0,0,15,15,15,15,15,15,15,15,15,15,15,3,0,0,0,0,0,0],
"sat" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],
"sun" : [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] }"}]Update Time/Date Group td1 with new attributes
-u '{ "tmdategrp" : {
"id":1,"name":"td1","description":"new description","disabled":0}}'Add new time/date to Time/Date Group td1
-u '{ "tmdatelist" : { "tmdategrpname":"td1","tmdate":"{ "range" : {
"from" : 1415851283, "to": 1415887283 }}"}}'Delete all times/dates from Time/Date Group td1
-d '{ "tmdatelist" : { "tmdategrpname":"td1"}}'Delete specified cmd from Time/Date Group td1
-d '{ "tmdatelist" : { "tmdategrpname":"td1", "tmdate" : "{ "range" : { "from" : 1415851283, "to": 1415887283 }}"}}'Role examples
Retrieve list of Roles that match Role*
-g '{ "role" : { "name" : "Role*" }}'
[{"id" : 0, "name" : "Role5", "rorder" : 3, "description" : "Desc3",
"disabled" : 0, "risk" : 1, "action" : "A", "iolog" : "/tmp/iolog_XXXXXX",
"script" : "accept;"}, {"id" : 1, "name" : "Role6", "rorder" : 2,
"description" : "Desc3", "disabled" : 0, "risk" : 1, "action" : "A",
"iolog" : "/tmp/iolog_XXXXXX", "script" : null}, {"id" : 2, "name" :
"Role7", "rorder" : 1, "description" : "Desc3", "disabled" : 0, "risk" : 1,
"action" : "A", "iolog" : "/tmp/iolog_XXXXXX", "script" : null}]Retrieve list of User Groups listed in the role Role6
-g '{ "roleusers" : { "name" : "Role6" }}'
[{"id":1,"users":1,"type":"R"},{"id":1,"users":1,"type":"S"}]Update role Role5 with new attributes
-u '{ "role" :
{"id":0,"name":"Role5","rorder":3,"description":"Description
4","disabled":0,"risk":1,"action":"A","iolog":"/tmp
/iolog_XXXXXX","script":"accept;"}, {"id":1,"name":"Role6","rorder":2,"description":"Desc3","disabled":0,"risk":1,"action":"A","iolog":"/tm
p/iolog_XXXXXX","script":null},
{"id":2,"name":"Role7","rorder":1,"description":"Desc3","disabled":0,"risk":1,"action":"A","iolog":"/tmp/io
log_XXXXXX","script":null}'Add new Submit Host, hostgrp2, to role Role5
-u { "rolehosts" : { "name" : "Role5", "hostgrpname" : "hostgrp2" , "type"
: "S"}}'Delete all User Groups from role Role5
-d '{ "roleusers" : { "name":"Role5"}}'Delete specified User Group from role Role5
-d '{ "roleusers" : { "name" : "Role5", "usergrpname":"ug1"}}'For more information on the -b setting in the Endpoint Privilege Management /etc/pb.settings configuration file, see Role Based Policy.
Client registration options
These options are not applicable to EPM-L.
These options provide methods to create, maintain, export, and import role-based policies into EPM-UL, used with the --rbp option.
Usage
pbdbutil --reg [<options>] [ <file> <file> ...]| -g {json param} | Get Client Registration profile records. |
| -u {json param} | Update Client Registration profile records. |
| -d {json param} | Delete Client Registration profile records. |
| -n | Create new Client Registration profile database. |
| -l | List all Client Registration profiles in the database. |
Client registration database options
These options provide methods to define and maintain Client Registration profiles, used to simplify the registration of hosts within the Endpoint Privilege Management enterprise.
"<-g|--get>" "{ param }"Example
Retrieve Client Registration profile using the specified name:
-g ’{ "name" : "default" }
{"type":"settings","fname":"/etc/pb.settings"}
{"type":"certificate","to":"/etc/${prefix}pbrest.pem${suffix}"}
{"type":"save","sname":"networkencryption"}
{"type":"save","sname":"restkeyencryption"}
{"type":"save","sname":"sslservercertfile"}
{"type":"save","sname":"sslserverkeyfile"}"<-u|--update>" "{ param }"Examples
Update the specified Client Registration profile:
-u ’{ "name" : "prof1", [{"type":"settings",
"fname":"/etc/pb.mysettings"},
{"type":"save","sname":"networkencryption"} ]’"<-d|--delete>" "{ param }"Example
Delete the specified Client Registration profile:
-d ’{ "name" : "prof1" }’<-l|--list>List all the Client Registration profiles.
<-n|--new>Create and initialize the Client Registration database.
RNS options
These options allow the maintenance and interrogation of the Registry Name Services.
Usage
pbdbutil --svc [<options>] [ <file> <file> ...]| -u '{ "svcgname" : "name", params... }' | Create/Update Registry Name Service Group. |
| -u '{ "cn" : "hname", params... }' | Create/Update Registry Name Service Host. |
| -u '{ "cn" : "hname", "uuid" : "", params... }' | Create/Update external Host in Registry Name Service. |
| [--bycn hname] | Specify existing common name to update (change to the cn and uuid specified in -u, optional) |
| -u '{ "svcgname" : "name", "cn" : "hname", params... }' | Add/Update Registry Name Service Host to Service Group. |
| -g '{ "svcgname" : "name" }' | Retrieve Registry Name Service Group information. |
| -g '{ "primary" : "name" }' | Lookup the Primary Server within the Registry Name Service Group. |
| -g '{ "cn" : "name" }' | Retrieve Registry Name Service Host information by host common name. |
| -g '{ "uuid" : "name" }' | Retrieve Registry Name Service Host information by uuid. |
| -d '{ "svcgname" : "name" }' | Delete Registry Name Service Group. |
| -d '{ "svcgname" : "name", "cn" : "name" }' | Remove a host from Registry Name Service Group. ℹ️ After deleting a server from registry name service group (registry_name_service), execute the following command to force a service cache update on all servers and clients. # pbadmin --scache -R --all |
| -d '{ "cn" : "name" }' | Delete Registry Name Service Host by host common name. |
| [--remove] | Remove the Registry Name Service Host completely from the database (optional). |
| -z <oldgrp> <newgrp> | Rename Registry Name Service Group. |
| -l [<wildcard(s)>] | List all the Registry Name Service Groups that match wildcard(s). |
| -l | Add an extra -l to list Servers in the Registry Name Service Group(s). |
| -l | Add a third -l to list all hosts in the Registry Name Service Groups. |
| -L [<wildcard(s)>] | List all the Hosts that match wildcard(s). |
| -L | Add an extra -L to list Service Group membership and role. |
| -p <svcgrp> <host | Promote host to primary service within the specified Registry Name Service Group. ℹ️ After promoting a server in registry name service group (registry_name_service), execute the following command to force a service cache update on all servers and clients. # pbadmin --scache -R --all |
| -N [[<cn> [<port>]] | Create and initialize Primary Registry Name Service database. |
| -n | Create new Registry Name Service database. |
| -m <msg> | Specify message. Required for modification commands when change management enabled. |
Example
Recreate the Registry Name Service Database
pbdbutil --svc -N --forceExample
List Service Groups from Registry Name Service Database
pbdbutil -P --svc -lResult:
{
"svcgid": 1,
"svcgname": "registry_name_svc",
"svc": "registry",
"updated": "2016-06-09 15:42:33",
"deleted": 0
}
{
"svcgid": 2,
"svcgname": "dfl_pb_policy_svc",
"svc": "pbpolicy",
"updated": "2016-06-09 15:42:33",
"deleted": 0
}
{
"svcgid": 3,
"svcgname": "dfl_log_svc",
"svc": "logsvr",
"updated": "2016-06-09 15:42:33",
"deleted": 0
}
{
"svcgid": 4,
"svcgname": "dfl_sudo_policy_svc",
"svc": "sudopolicy",
"updated": "2016-06-09 15:42:33",
"deleted": 0
}
Example
List primary and secondary servers within the Service Groups
pbdbutil -P --svc -l -lResult:
{
"svcgid": 1,
"svcgname": "registry_name_svc",
"svc": "registry",
"updated": "2016-06-14 10:43:14",
"deleted": 0,
"svcs": [
{
"svcgid": 1,
"hostid": 1,
"role": "primary",
"created": "2016-06-14 10:43:14",
"updated": "2016-06-14 09:43:14",
"deleted": 0,
"cn": "pbuild",
"uuid": "969ecab2-93d8-4322-a8cf-6314457053bb",
"fqdn": "pbuild",
"addrs": [
{
"family": 4,
"port": 24351,
"addr": "192.168.16.138"
}
"tnlzone": 0
}
]
}
{
"svcgid": 2,
"svcgname": "dfl_pb_policy_svc",
"svc": "pbpolicy",
"updated": "2016-06-14 10:43:14",
"deleted": 0
}
{
"svcgid": 3,
"svcgname": "dfl_log_svc",
"svc": "logsvr",
"updated": "2016-06-14 10:43:14",
"deleted": 0
}
{
"svcgid": 4,
"svcgname": "dfl_sudo_policy_svc",
"svc": "sudopolicy",
"updated": "2016-06-14 10:43:14",
"deleted": 0
}
Example
Retrieve specified Service Group
pbdbutil --svc -g '{ "svcgname" : "registry_name_svc" }'Result:
{"svcgid":1,"svcgname":"registry_name_svc","svc":"registry","updated":"2016-06-06 16:56:53","deleted":0}Example
Retrieve Specified Host by "cn"
pbdbutil --svc -g '{ "cn" : "pbuild" }'Result:
{"addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"cn":"pbuild","uuid":"969ecab2-93d8-4322-a8cf-6314457053bb","$
Example
Retrieve Specified Host by "uuid"
pbdbutil --svc -g '{ "uuid" : "969ecab2-93d8-4322-a8cf-6314457053bb" }'Result:
{"addrs":[{"family":4,"addr":"192.168.16.138","port":24351}],"cn":"pbuild","uuid":"969ecab2-93d8-4322-a8cf-6314457053bb","$
Example
Retrieve Host Entry for the Primary of the Specified Service Group
pbdbutil --svc -g '{ "primary" : "registry_name_svc" }'Result:
{"svcgid":1,"svcgname":"registry_name_svc","svc":"registry","updated":1465228621,"deleted":0,"hostid":1,"role":"primary","$
Example
Retrieve Host Information for Specified Host
pbdbutil --svc -L pbuildResult:
{"fqdn":"pbuild","cn":"pbuild","uuid":"969ecab2-93d8-4322-a8cf-6314457053bb","addrs":[{"addr":"192.168.16.138","family":4,$
Example
List All Hosts
pbdbutil -P --svc -LResult:
{
"hostid": 1,
"cn": "pbuild",
"uuid": "969ecab2-93d8-4322-a8cf-6314457053bb",
"fqdn": "pbuild",
"addrs": [
{
"family": 4,
"port": 24351,
"addr": "192.168.16.138"
}
],
"tnlzone": 0,
"updated": 1465897394,
"deleted": 0
}
{
"hostid": 4,
"cn": "pbtest",
"uuid": "969ecab2-93d8-4322-a8cf-6314457053bf",
"fqdn": "pbtest",
"addrs": [
{
"family": 4,
"port": 24351,
"addr": "192.168.16.184"
}
],
"tnlzone": 0,
"updated": 1465898703,
"deleted": 0
}
Example
Add a Specified Host ("cn" Common Name and "uuid" Are Required)
pbdbutil --svc -u '{ "cn" : "pbtest" , "uuid" : "969ecab2-93d8-4322-a8cf-6314457053bf" }'Example
Add New Service Group
pbdbutil --svc -u '{ "svcgname" : "foobar", "svc" : "logsvr" }'Example
Add Host to Service Group
pbdbutil --svc -u '{ "svcgname" : "foobar", "cn" : "pbtest" }'Example
Delete Host
pbdbutil --svc -d '{ "cn" : "pbtest" }'Example
Add Host to Service Group as Primary Server
pbdbutil --svc -u '{ "svcgname" : "foobar", "cn" : "pbtest", "role" : "primary" }'Example
Delete Host When It Is a Primary
pbdbutil --svc -d '{ "cn" : "pbtest" }'4011.01 Host is a primary server. Please reassign primary before deleting host from service group, or use force on the $.
Example
Delete the Service Group
pbdbutil --svc -d '{ "svcgname" : "foobar" }' --forceExample
Promote a Host That Is Currently a Secondary Server to a Primary Server
pbdbutil --svc -p foobar pbtestManagement event options
These options provide methods to create, maintain, export, and import role-based policies into EPM-UL.
Usage
- pbdbutil --evt [<options>] [<file> <file> ...]
- -s {json param}: Search Management event records
- Record entities: hostname, evtname, service, by, severity, before/after/then progname, version, arch, taxonomy
Records can be searched using the above entities and are matched as wildcards.
Example
-s '{ "taxonomy" : "chgmgt" } 'Display all Change Management Events``-s '{ "taxonomy" : "chgmgt", "hostname" : "host1" } ' Display all Change Management Events for host1
Description
| <-S|--searchevt> {json parameters} | This option provides a method of retrieving change management events from the change management database. |
Example
Retrieve all change management events
-S '{ "taxonomy" : "chgmgt" }'
{"hostname" : "pbuild", "evtname" : "file_import", "service" : "pbdbutil9.0.0-01_debug", "who" : "ctaylor", "severity" : 16, "progname" : "pbdbutil9.0.0-01_debug", "version" : "9.0.0-01_debug", "arch" : "x86_64_ linuxA", "data" : {"msg" : "foo, bar", "fname" : "/opt/pbul/policies/pb.conf, conf","version" : 4, "sid" : 4995, "pid" : 31976, "uid" : 0}, "utc" : "2014-11-1109 : 19 : 28"}
{"hostname" : "pbuild", "evtname" : "tag_file", "service" : "pbdbutil9.0.0- 01_debug", "who" : "ctaylor", "severity" : 16, "progname" : "pbdbutil9.0.0- 01_debug", "version" : "9.0.0-01_debug", "arch" : "x86_64_linuxA", "data" :{"fname" : "/opt/pbul/policies/pb.conf", "tag" : "foo", "version" : -1, "sid" : 4995,"pid" : 31979, "uid" : 0}, "utc" : "2014-11-11 09 : 19 : 30"}
Example
Retrieve change management events for host1 only
-S '{ "taxonomy" : "chgmgt" , "hostname" : "host1" }'REST keystore options
Usage
pbdbutil --rest [<options>] [ <file> <file> ...]| -l | List all Application IDs in the database. |
| -d <appid> | Delete Application key. |
| -g <appid> [--svcgname <name>] [<acl> ...] | Create new Application key with ACLs Specify svcgname to sync key across Service Group where acl is up to 8 regular expression strings in the form METHOD:/PATH/ATTRIBUTE where METHOD is GET, PUT, POST or DELETE. Examples GET:/events PUT:/setting /POST:/key (GET|PUT):/setting/(submitmaster|acceptmasters) -x <yyyy-mm-dd> Specify Application ID expiry |
Database synchronization options
These options allow the interrogation of Database Synchronization status on primary servers.
Usage
pbdbutil --dbsync [<options>] [ <file> <file> ...]| -l | List Database Synchronization history. |
| -l [<dbfile(s)>] | List outstanding Database Synchronization entries. |
| -c <dbfile(s)> | Deletes the _pblog entries from the specified database. Each database that can be synchronized (FIM, Sudo, RBP, etc) has a _pblog table used to synchronize data from the primary to the secondaries. When adding a FIM configuration, or a new role, or a pbsudo host, then the corresponding INSERT or UPDATE SQL is added in the _pblog table. |
| -R <svc> [<cn>] | Initiates a synchronize on database immediately even if there is no change, for specified service. |
| --force | Force synchronize the cfg files for the specified service. |
| -A <svcgname> <...> | Set databases in Service Group(s) as being automatically synchronized. |
| -X <svcgname> <...> | Unset databases in Service Group(s) as being automatically synchronized. |
Registry Name Service Cache Options
Each host has a Registry Name Service Cache that holds the Service Group information that is applicable to them.
These options allow the retrieval of information and options to re-initialize the Registry Name Service Cache database.
Usage
pbdbutil --scache [<options>] [ <file> <file> ...]| --cn | Retrieve Common Name from the Registry Name Service. |
| -w | Retrieve my Registry Name Service information. |
| --amiprimary <svc type> | Check if the host is a primary server for a given service type ('pbpolicy', 'logsvr', 'sudopolicy', 'registry', etc.) |
| -l | List all the locally cached Registry Name Service entries. |
| -s <[-|+]attribute> | Sort the list of records by attribute name (asc/desc). |
| -R | Refresh the local Registry Name Service cache. |
| --all | Refresh all hosts registered to Registry Name service using REST services. |
| --host(s) <hostname1> [<hostname2>... <hostnameN>] | Refresh on listed hosts using REST services. |
| -N { param } | Create and initialize the Primary Registry Name cache database where the { param } argument is formatted JSON with parameters:
|
| -m <msg> | Specify message. Required when change management enabled. |
| --sqldebug=<log level> | Database query debug log level. |
Elasticsearch credential management
The pbdbutil settings outlined here support Elasticsearch credential management.
The options available with the pbdbutil tool are also available in the EPM-UL REST API.
For more information, see Elasticsearch Logstash API Calls.
Usage
pbdbutil --elkcred [<options>]| --elkcred -g <id> | Retrieves a credential by ID. The credential is output in JSON format. Use -P to make the output more readable. The REST API call: elkcred -X GET |
| -s '{ "id": "<id>", ... }' | Adds a credential. The response is OK if the credential is set successfully; otherwise, a relevant error message is displayed. The REST API call: elkcred -X PUT |
| -d <id> | Deletes a credential. The response is OK if the credential is deleted successfully; otherwise, a relevant error message is displayed. The REST API call: elkcred -X DELETE |
| -l | Lists all credentials. The credential is output in JSON format. Use -P for more readable output. The REST API call: elkcreds -X GET |
| -t <id> | Tests an existing credential. Test results are shown in JSON format. Use -P for more readable output. Tests of a token or apikey credential fail against Logstash instances. The REST API call: elkcredtest -X GET |
| -t '{ "id": "<id>", ... }' | Tests a prospective credential with the values currently in /etc/pb.settings (e.g., elkinstances), use the JSON fields relevant to the credential type. For more information on credential types, see Credential Store. The REST API call: elkcredtest -X POST. To test a credential independently of /etc/pb.settings, add the elkinstances JSON attribute. See Test a credential for the example code snippet. The REST API call: elkcredtest -X POST |
Test a credential
To test a credential independently of /etc/pb.settings, add the elkinstances JSON attribute, as shown here:
Example
pbdbutil --elkcred -t '{"id": "elastic_token", "type": "token", "username": "jeff", \
"password": "<password>", "endpoint": "/_security/oauth2/token", \
"elkinstances": "elasticsearch=https://elksite.us-east-1.aws.found.io"}' -P
{
"results": [
{
"token-request": {
"url": "https://elksite.us-east-1.aws.found.io/_security/oauth2/token",
"curlcode": "0 (No error)",
"httpcode": "200 (OK)"
},
"test-request": {
"url": "https://elksite.us-east-1.aws.found.io/?pretty",
"curlcode": "0 (No error)",
"httpcode": "200 (OK)"
}
}
]
}The format of the elkinstances value is the same as it would be in /etc/pb.settings.
Use -P to make the output more readable. As is the case with an existing credential, an attempt to test a prospective credential of type token or apikey against a Logstash instance fails.
poldbg
These options are not applicable to EPM-L.
Description
Policy language debugging can be enabled, disabled, and reviewed using the poldbg option.
With this command:
- List policy debugging entries to identify and resolve issues that may have occurred in a policy.
- Specify users whose policy is debugged, and specify the amount of time that debugging is enabled for that user and policy.
- Run pbrun command and review the debugging information.
Policy debugging is only available for if statements and switch case statements.
Syntax
Run to list debugging policy entries.
--poldbg -lRun to identity users who can debug entries. You can also designate how long the user has access.
--poldbg -uRun to view and print a clean output of events for policy debugging in JSON-equivalent format.
pbadmin -P --evt -s '{taxonomy" : policydbg" }'Run to view and print events for policy debugging in a CSV-type format.
pbadmin -C --evt -s '{taxonomy" : policydbg" }'Example
pbadmin --poldbg -u rjones 2hIn this example, the user rjones is specifically allowed to debugging access for two hours.
Example
pbadmin -C --evt -s '{taxonomy" : policydbg", "rowid" : 3 }'In this example, the events are going to be provided in a CSV-type format in which the information specifically in row three is expanded.
Integrated product options
These options provide options to configure the Integrated Products Queue database.
Usage
pbdbutil --intprod [<options>] [ <file> <file> ...]| -l | List all entries in Integrated Product database queue. |
| -d <wildcard> | Delete entries from Integrated Product database queue. |
Policy and log caching options
These options support the policy and log caching feature introduced in EPM-UL version 23.1.
Usage
pbdbutil --remotecache [<options>]Options supported on a client
| --forward | Forward cached write queue and IO log files to the log server |
| --pull | Retrieve policy from a cached policy server |
Options supported on a policy server
| --list-versions | List policy versions for clients that use cached policies from the cached policy server |
Example
List client policy versions in a human-friendly format.
pbdbutil --remotecache --list-versions -PI/O logfile queue options
These options allow users to maintain the database that queues the I/O logfile names for indexing to ElasticSearch.
Usage
pbdbutil --iologidx[<options>]| -l | List queued iolog files. |
| -d <wildcard spec> | Delete queued iolog files. |
When an iolog is started, pblogd (or pbmasterd) adds that iolog to the logfile queue with a pblogd_status of started and retry set to never. When the iolog file is closed in a normal fashion, the pblogd_status is set to finished. During the time that pblogd is active, it periodically sends a heartbeat.
When an iolog is not properly closed (pbrun killed or network issues, for example), the heartbeat is used with the iologactionqueuetimelimit keyword to artificially set the pblogd_status to finished, so that iolog can be processed for ElasticSearch or iologcloseaction.
When an iolog is being processed for ElasticSearch or iologcloseaction, the proc_status is set to processing. When ElasticSearch or iologcloseaction has successfully completed, the proc_status is set to finished. When ElasticSearch reports a recoverable error, or iologcloseaction returns -1, the iolog is re-queued by setting lastupdated to now, setting retry (now + iologactionretry minutes), and incrementing the retries.
Example
Delete all queued I/O log file names
pbdbutil –-iologidx -d *I/O logfile cache options
These options allow users to maintain the database that caches the I/O logfile names for use with BeyondInsight for Unix & Linux.
Usage
pbdbutil --iocache [<options>]Display cached list of I/O log files:
| --lstcache=['{param…}'] | Use equals symbol (=) for optional parameter. |
| | -S['{param…}'] | No space between switch name and optional parameter. |
| -s <[-|+]attributes> | Sort the list of records by attribute name (asc/desc). |
Remove I/O log file entries from the logfile cache database:
-d '{param…}']Where the {param…} argument is formatted JSON parameters:
- {"path":"pattern"}: glob wildcard for logfile path
- {"loghost":"host1"}: Filter by loghost name
- {"submithost":"host2"}: Filter by submithost name
- {"runhost":"host3"}: Filter by runhost name
- {" submituser":"user1"}: Filter by submituser name
- {"runuser":"user2"}: Filter by runuser name
- {"runcmd":"command"}: Filter by run command
- {"from":"<yyyy-mm-dd HH:MM>"}: Filter I/O logs created on or after this date/time
- {"to":"<yyyy-mm-dd HH:MM"}: Filter I/O logs created on or before this date/time
- {"start":<offset>}: Specify record offset (number) when limiting output
- {"len":<len>}: Specify number of rows when limiting output
Migrate I/O log location cache database (Upgrades only):
-n [--force]Migrates pre-v10.3.1 I O log location cache database to the new database configuration.
Migration is automatically done during an upgrade via pbinstall. Running this manually is typically not necessary unless circumstances prevented the automatic migration during the upgrade. The optional --force skips backup of the original/obsolete I/O log cache database if it already has been backed up by other methods.
Where the {param} argument is formatted JSON with parameters:
- "path":"pattern": glob wildcard for logfile path
- "loghost":"host2": loghost name
- "submithost":"host1": Filter by submithost name
- "runhost":"host1": Filter by runhost name
- "submituser":"user1": Filter by submituser name
- "runuser":"user1": Filter by submituser name
- "runcmd":"cmd": Filter by runcmd name
- "from":"<yyyy-mm-dd HH:MM>": Filter by logfiles opened on or after this date/time
- "to":"<yyyy-mm-dd> HH:MM": Filter by logfiles opened on or before this date/time
- "start":<offset>: Specify record offset (number) when limiting output
- "len":<limit>: Specify number of rows when limiting output
File Integrity Monitor options
These options provide maintenance for the File Integrity Monitor database, and options for the client to run an integrity check.
Usage
pbdbutil --fim [<options>] [ <file> <file> ...]Options for FIM client
| -r | Run FIM check. |
| -U | Run FIM check and update database. |
Options for FIM server database management
| -n | Create new FIM database. | |
| -l | List all FIM configurations in database. | |
| -l | Add an extra -l to list host assignments. | |
| **-s <[- | +]attribute>** | Sort the list of records by attribute name (asc/desc). |
| -i <file> | Import FIM configuration file. | |
| -e <name> <file> | Export specified FIM configuration. | |
| -g <name> | Get FIM configuration by name. | |
| -d <name> | Delete FIM configuration. | |
| -d {"cfg" : { "name" : "<wildcard>" }} | Delete FIM configuration matching wildcard. | |
| -u {"name" : "<name>", "cfg": { json param... }} | Update FIM configuration. | |
| -A <name> <host(s)> | Assign host to configuration. | |
| -X <host(s)> | Unassign host from configuration. | |
| -g {"rpt" : { "uuid" : "<uuid>" }} | Get specified FIM report. | |
| -g {"rpt" : { params ... }} | Retrieve report summarized from multiple reports. See below for attributes. |
| --format '[ "header", "header2", ... ]' | Define retrieved fields when using CSV report. |
| -d { "rpt" : { "uuid" : "<uuid>" }} | Delete FIM report. |
| -d { "rpt" : { params ... }} | Delete FIM report(s) - see below for attributes. |
| -L [{ Retrieve, List or Delete FIM reports, with attributes: ["name" : "<wildcard>",] ["uuid" : "<uuid>",] ["host" : "<wildcard>",] ["older" : <epoch>,]["newer" : <epoch>,] ["older" : { "years" : n, "months" : n, "days" : n, "hours" : n ] ["newer" : { "years" : n, "months" : n, "days" : n, "hours" : n ] ["updates" : <bool>,] ["risk" : <lvl>,] ["risk_higher" : <lvl>,] ["risk_lower" : <lvl>,] ["regexp" : true]} | |
| -s <[-|+]attribute> | Sort the list of records by attribute name (asc/desc). |
Event logfile cache options
These options allow users to query and maintain the database that caches the event logfile names for use with BeyondInsight for Unix & Linux.
Usage
pbdbutil --evtcache [<options>]Display cached list of event log files:
| --lstcache=['{param…}'] | Use equals sign (=) for optional parameter. |
| | -S['{param…}'] | No space between switch name and optional parameter. |
| -s <[-|+]attribute> | Sort the list of records by attribute name (asc/desc). |
Where the {param} argument is formatted JSON parameters:
- {"path":"<pattern>"}: glob wildcard for logfile path
- {"runhost":"<host1>"}: Filter by runhost name
- {"loghost":"<host2>"}: Filter by loghost name
- {"from":"<yyyy-mm-dd HH:MM>"}: Filter by event logs active on or after this date/time
- {"to":"<yyyy-mm-dd HH:MM"}: Filter event logs active on or before this date/time
- {"start":<offset>}: Specify record offset (number) when limiting output
- {"len":<limit>}: Specify number of rows when limiting output
Remove event log file entries from the logfile cache database:
-d '{param…}'Where the {param…} argument is formatted JSON parameters:
- {"path":"pattern"}: glob wildcard for logfile path
- {"loghost":"host2"}: Filter by loghost name
- {"from":"<yyyy-mm-dd HH:MM>"}: Filter event logs active on or after this date/time
- {"to":"<yyyy-mm-dd HH:MM"}: Filter event logs active on or before this date/time
Policy and log caching options
These options support the policy and log caching feature introduced in EPM-UL version 23.1.
Usage
pbdbutil --remotecache [<options>]Options supported on a client
| --forward | Forward cached write queue and IO log files to the log server |
| --pull | Retrieve policy from a cached policy server |
Options supported on a policy server
| --list-versions | List policy versions for clients that use cached policies from the cached policy server |
Example
List client policy versions in a human-friendly format.
pbdbutil --remotecache --list-versions -PWrite queue status options
Starting in EPM-UL 22.3, report on and summarize the content of write queue files using new options added to the pbadmin command. The files are created when the message router is offline or when write queue records cannot be written to a log server’s event log.
Usage
pbadmin --wqstatus [<options>]Options
| -l <file(s)> | Provides a high-level summary of the contents of one or more write queue files.
|
| -ll <file(s)> | Provides more detailed report on the contents of one or more write queue files.
Within the records array, the following data is displayed for each record:
|
| -T | Provides a summary of the write queue files stored in the directory specified by the settings value writequeuepath. |
| -P, --pretty | Optional. Produces pretty print. |
| -h | Help on write queue status options. |
Examples
Example
pbdbutil --wqstatus -l
[root@dev-test ~]# pbdbutil --wqstatus -l /opt/pbul/msgrouter/wq_0003 -P
[
{
"file": "/opt/pbul/msgrouter/wq_0003",
"created": "2022-09-02 14:01:22",
"count": 2,
"completed": 0,
"pending": 0,
"notprocessed": 2
}
]Example
pbdbutil –wqstatus -ll
[root@dev-test ~]# pbdbutil --wqstatus -ll /opt/pbul/msgrouter/wq_0003 -P
[
{
"file": "/opt/pbul/msgrouter/wq_0003",
"created": "2022-09-02 14:01:22",
"count": 2,
"completed": 0,
"pending": 0,
"notprocessed": 2,
"numaccept": 1,
"numreject": 0,
"numfinish": 1,
"numkeystroke": 0,
"numiologclose": 0,
"numiologcache": 0,
"records": [
{
"type": "event log",
"length": 686,
"wqstatus": "notprocessed",
"event": "Finish",
"uniqueid": "0a64a8e963120c883D37",
"timestamp": "2022-09-02 14:00:52"
},
{
"type": "event log",
"length": 8615,
"wqstatus": "notprocessed",
"event": "Accept",
"uniqueid": "0a64a8e963120ded3F1F",
"timestamp": "2022-09-02 14:06:37"
}
]
}
]
Example
pbdbutil --wqstatus -T
[root@dev-test ~]# pbdbutil --wqstatus -T -P
{
"files": 5,
"records": 31,
"completed": 0,
"pending": 0,
"notprocessed": 31,
"numaccept": 19,
"numreject": 0,
"numfinish": 7,
"numkeystroke": 0,
"numiologclose": 3,
"numiologcache": 2,
"first": "2022-09-02 14:00:40",
"last": "2022-09-02 14:36:31"
}Updated 1 day ago
