Auditing and logging

Authorization event logging

EPM-UL records the following authorization events in the event log file on the log host or Policy Server host (if not using a log server):

• Accept and Reject events (including policy variables) for all tasks.
• Keystroke patterns set by keystrokeactions and task finish information for jobs that are not run in local mode. This file can be reviewed through the EPM-UL GUI or with the pblog command.

The event log is stored in a flat file whose path may be defined by the eventlog variable in the policy, eventdestinations setting, or eventlog setting.

Store eventlog records in a database

SQLite database

Starting with v10.3.0, event log records can be written to an SQLite database using the setting below which can optionally accept a path name:

eventdestinations authevt=db[=</path/to/database>]

If no specific file is given, the path in the eventlog variable is used (it suffixes .db to the filename, if the filename does not already include a .db at the end).

This is the default eventlog type for EPM-UL v10.3.0, v10.3.1, and v10.3.2.

The pblog program will automatically detect if an eventlog is an SQLite database and read it accordingly. To force the SQLite database read mode, use the pblog option "--db".

MySQL and Oracle database using ODBC connectors

Starting with v10.3.0, event log records can be sent to an Oracle or MySQL database using the ODBC connector on the log server.

If eventdestinations is set to authevt=odbc=, the event log records are logged to the ODBC DSN specified in the setting and found in the ODBC configuration files. The value of eventlog in pb.settings is ignored, and the event log records are written to the ODBC DSN specified in odbc.ini and odbcinst.ini in the odbcinidir directory (or default /opt/pbul/etc). If the eventlog variable is defined in the policy, then the event log records are written to both the path and file in the policy (in flat file format), and in the ODBC database. For pblog, use the option --odbc -f to read the MySQL/Oracle database.

Event destinations can be combined, using commas, to enable logging to multiple services.

Example

eventdestinations authevt=db,odbc=MySQL,/var/log/eventlog.flatfile

The setting anydestinationsufficient controls how the events are written to multiple destinations:

• If set to no (default), it requires that the event be written to all defined destinations (db, odbc, flat-file) before it is removed from the message queue. If one destination is down, it keeps the event on the message queue until the event is successfully written to all destinations.

ℹ️

Note

If the event was already written to a destination (in case of a flat file), the next attempt may create a duplicate record.

• If it is set to yes, it attempts to write each event to every destination. If any one of them fails, as long as the attempt to any destination succeeds, it proceeds to the next event.

eventdestinations

• Version 9.4.1 and earlier: eventdestinations setting not available.
• Version 9.4.3 and later: eventdestinations setting for Audit events available.
• Version 10.3.0 and later: eventdestinations setting for Authorization events available.

The eventdestinations setting allows the configuration of where events are logged. Prior to v10.3.0, this setting is used only for audit events. Starting in v10.3.0, it has been augmented to support authorization event logging using the keyword authevt.

Syntax

eventdestinations authevt=<destination>

Where destination can be one or a combination of database, syslog, flat file, or passed into a script or binary for processing:

• db: Write the event log records to an SQLite database whose path is specified in the eventlog setting.
• db=/path/to/database.db: Write the event log records to the named SQLite database.
• /path/to/flatfile: Write the event log records to flat file.
• odbc=DSN: Log the event records to the configured ODBC DSN (Data Source Name).
• syslog: Write the event log records to the local syslog service, using the syslog configuration in pb.settings.
• |/path/to/script: Will log the event to the script or binary specified.

ℹ️

Note

If eventdestinations is omitted or commented out in the settings, EPM-UL defaults to using flat file eventlog format.

ℹ️

Note

Within the authevt group, a combination of each destination type can be specified, separated by commas. If combining with Audit events options, each new group should be delimited with a space.

authevt usage

To avoid running out of resources during heavy load while support authentication events to a program (eventdestinations authevt=|program), pblighttpd-svc must be started with unlimited NOFILES and NPROC, at least.

Example

eventdestinations authevt=db

Example

Event destinations can be combined, separated by commas, to enable logging to multiple services:

eventdestinations authevt=db,/var/adm/pb.eventlog.flat,odbc=MySQL,syslog

Example

Authorization Event and Audit Event destinations can be combined using a space delimiter:

eventdestinations authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog

Default

eventdestinations authevt=<eventlog>

Used on

• Log servers
• Policy server hosts (If a log host is not used)

eventlog

• Version 4.0.0 and later: eventlog setting available.
• Version 10.3.0 and later: eventlog setting usage modified.

The eventlog setting specifies the default location of the flat file or SQLite database event log.

If eventdestinations setting is omitted from the settings file or does not have an explicit “authevt=” designation, EPM-UL writes authorization events in flat file format to the location in the eventlog setting by default.

The eventdestinations setting "authevt=db" configures authorization events to be written to an event log in SQLite database format, in which case, the eventlog setting provides the pathname of the event log (with .db suffix).

Any parent directory in the path is automatically created.

When pblog is invoked with no specific eventlog filename and eventdestinations setting does not explicitly define a path for a flat file (authevt=) or SQLite database (authevt=db=), it will try to read the path in the eventlog setting. If eventdestinations is set to "authevt=db", pblog will implicitly append “.db” to the path first before reading it.

Example

eventlog /var/log/my.event.log

Default

Depending on the operating system standards, this can be any of the following:

eventlog /var/log/<prefix>pb.eventlog<suffix>

eventlog /var/adm/<prefix>pb.eventlog<suffix>

eventlog /usr/adm/<prefix>pb.eventlog<suffix>

Used on

• Log hosts
• Policy server hosts (If a log host is not used)

syslog

• Version 4.0.0 and later: syslog setting available.

Enables sending diagnostic messages to syslog, using the facility setting.

To enable syslog recording of diagnostic messages, set syslog to yes.

Example

syslog yes

Default

syslog yes

Used on

• Log hosts
• Policy server hosts
• Run hosts
• Submit hosts

facility

• Version 4.0.0 and later: facility setting available.

The messages that the EPM-UL programs transmit to the syslog facility are labeled with a syslog level. This level (as well as the severity that is specified internally to EPM-UL on a per message basis) is used by the syslog facility and handled according to the rules in the syslog configuration file (typically /etc/syslog.conf). If EPM-UL messages are not appearing in syslog, then verify that syslog.conf is handling the facility that you are using as expected.

To specify the syslog facility for logging to the Unix/Linux syslog subsystem, set facility appropriately. Some commonly available facilities include:

• LOG_AUTH
• LOG_AUTHPRIV (Linux).
  • Only supported in Endpoint Privilege Management for Unix and Linux 7.1.0 and later.
• LOG_USER
• LOG_MAIL
• LOG_DAEMON
• LOG_LPR
• LOG_NEWS
• LOG_UUCP
• LOG_CRON
• LOG_LOCAL0 through LOG_LOCAL7

Example

facility LOG_DAEMON

Default

facility LOG_AUTH

Used on

• Log hosts
• Policy server hosts if a log host is not used

anydestinationsufficient

• Version 10.2.0 and earlier: anydestinationsufficient setting not available.
• Version 10.3.0 and later: anydestinationsufficient setting available.

This setting controls how the events are written to multiple destinations.

When set to no, anydestinationsufficient writes an event to all defined destinations (db, odbc, flat file). All destinations must be up and running. If one destination is down, the event is retained in the message router write queue until it is successfully written to all event log destinations. This is the default behavior.

When set to yes, anydestinationsufficient writes the event to one destination at a time. If one destination is down, and the event has already been written to at least one database (db, odbc, flat file), then it skips the destination for that event, and moves on to the next event. The database that is down does not have all the events. However, pblog can be used to get the events from one destination and write it to another.

Example

anydestinationsufficient yes

Default

no

Used on

Log servers

odbcinidir

• Version 10.2.0 and earlier: odbcinidir setting not available.
• Version 10.3.0 and later: odbcinidir setting available.

The odbcinidir setting provides the path where odbc.ini and odbcinst.ini are read from when eventdestinations is set to authevt=odbc=.

• odbc.ini: Provides authentication details for the ODBC database.
• odbcinst.ini: Includes driver details where shared libraries reside.

Example

odbcinidir /etc/odb

Default

odbcinidir /opt/<prefix>pbul<suffix>/etc

Audit events

There are various audit events that can be enabled and stored within EPM-UL . These include Configuration Change Management, File Integrity Monitoring events, Advanced Keystroke Action events, and License events. These events are enabled on clients and servers, and are logged on the log server. Each type of event has a taxonomy to distinguish the type of data that it contains. There are various settings that affect the audit event log.

eventdb

• Version 8.5.0 and earlier: eventdb setting not available.
• Version 9.0.0 and later: eventdb setting available.

The eventdb setting details where Audit events are stored on the log server if there is no specific configuration using the eventdestinations setting. If a relative path is specified, the databasedir setting is used to derive the full path.

Example

eventdb /mypath/pbevent.db

Default

eventdb /opt/<prefix>pbul<suffix>/dbs/pbevent.db

Used on

All hosts

eventdestinations

• Version 9.4.1 and earlier: eventdestinations setting not available.
• Version 9.4.3 and later: eventdestinations setting for Audit events available.
• Version 10.3.0 and later: eventdestinations setting for Authorization events available.

The eventdestinations setting allows the configuration of where each taxonomy of Audit events is logged. Starting in v10.3.0, this setting can also be used to configure destinations for authorization events.

Syntax

eventdestinations <taxonomy>=<destination> …

The destination can be one or more database, syslog, flat text file, or passed into a script or binary for processing:

• db=/path: Outputs the event to a database.
• db: Outputs the event to the database specified in the eventdb settings
• syslog: Outputs the event to the local syslog service, using the syslog configuration in pb.settings.
• /directory/file: An absolute path to a file which is appended with the event in text in the specified format.
• |/directory/script: Passes the event on standard input into the script or binary specified.

ℹ️

Note

Within each taxonomy, one or more destinations can be specified, separated by commas. If specifying more than one taxonomy or combining with Authorization Event Logging eventdestinations option, each group should be delimited with a space.

Example

eventdestinations chgmgt=db

Event destinations can be combined, separated by commas, to enable logging to multiple services:

eventdestinations   chmgt=db,syslog,/var/adm/pbchmgt.log

Multiple Audit Event and Authorization Event destinations can be combined using a space delimiter:

eventdestinations   chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog``eventdestinations   authevt=db chgmgt=db,syslog fimrpt=|/mydir/process license=db,syslog

Default

By default, all events are logged to the database specified by eventdb.

Used on

Log servers

eventformats

• Version 9.3.3 and earlier: eventformats setting not available.
• Version 9.4.4 and later: eventformats setting available.

Events that are not logged into a database can be logged in two different formats:

• Labeled Comma Separated Values, where values take the form <attribute_name>=,...
• JSON format

Example

eventformatschgmgt=json license=csv

Default

By default, all events are logged in JSON format.

Used on

Log servers

Message router

With the introduction of EPM-UL v10.1.0, a Fast Message Router was developed to better cope with high volumes of event and log information. The log server communicates all of its updates to the Message Router, which then logs the audit and log information to the appropriate places, including the event log, the BeyondInsight Event queues, and the SOLR /Iologcloseaction queues.

The pblighttpd service, which previously started the REST and Scheduler services, now also starts the Message Router services. If the Message Router is down, the log server stores all of its data in a temporary queue until the Message Router service is available again.

messageroutersocketpath

• Version 10.0.1 and earlier: messageroutersocketpath setting not available.
• Version 10.1.0 and later: messageroutersocketpath setting available.

This setting defines the absolute path to the Message Router work area, where sockets and temporary files are stored while the Message Router is unavailable.

Example

messageroutersocketpath /opt/pb/pb_msgrouter

Default

messageroutersocketpath /opt/<prefix>pbul<suffix>/msgrouter

Used on

• Policy servers
• Log servers

messagerouterqueuesize

• Version 10.0.1 and earlier: messagerouterqueuesize setting not available.
• Version 10.1.0 and later: messagerouterqueuesize setting available.
• Version 22.1 and later: messagerouterqueuesize setting syntax updated.

This setting specifies the number of temporary queue entries (and beginning in 22.1.0, also specifies the entry size) for the Message Router (used to route events to event logs, BIUL, Solr, SIEM, and other databases). Generally the default is acceptable, however, in large installations with many events logged per second, it might need to be increased.

Syntax in versions 10.1.0—21.1

messagerouterqueuesize    x

The maximum value is 4095.

Example

Messagerouterqueuesize  1000

Default

Messagerouterqueuesize  800

Syntax in 22.1.0 and later

In 22.1.0, the previous syntax is still supported, however, additional syntax allows for much finer control:

messageroutequeuesize ( x | identifier=numchunks,[chunksize])     
    [identifier=numchunks[,chunksize]]*

The x value is compatible with the prior version syntax:

messagerouterqueuesize    800

The x value defines a default number of queue entries for any service not further defined in the value.

The valid identifiers are:

• eventlog
• ioc: The I/O log close action.
• iol: The I/O log cache service.
• intprod: The integrated Products Message Router service (sends events to BIUL).
• siem: The Message Router SIEM service (sends events to Elasticsearch).

Each numchunks value has a minimum of 50 and a maximum of 400000. The chunksize values are in K units.

For example, “… eventlog=200,8 …” allows for 200 8K chunks for events destined for an eventlog. This might be used by 200 events sized up to 8K each, or 100 events sized between 8K and 16K, or 50 events sized 32K – or any combination of events of different sizes.

Example

Messagerouterqueuesize eventlog=22000,8 intprod=22000,8 siem=40000,8 ioc=200,16 iol=200,16

Default

Messagerouterqueuesize  eventlog=200,8 intprod=200,8 siem=200,8 ioc=200,16 iol=200,16

Used on

• Policy servers
• Log servers

messagerouterclosewait

• Version 10.0.1 and earlier: messagerouterclosewait setting not available.
• Version 10.1.0 and later: messagerouterclosewait setting available.

This setting specifies the maximum time a policy or log server waits, in seconds, for the Messager Router to become available. If it cannot contact the Message Router after this duration, it writes the entries to temporary queues for later processing.

Example

messagerouterclosewait 120

Default

messagerouterclosewait 30

Used on

• Policy servers
• Log servers

writequeuetimeouts

• Version 10.0.1 and earlier: writequeuetimeouts setting not available.
• Version 10.1.0 and later: writequeuetimeouts setting available.

This setting specifies the timeouts for various actions for write queue operation. Although we do not recommend that these are changed in most instances, there may be scenarios, usually when hosts experience high load levels, that configuration of these timeouts can improve performance. The timeout operations include:

• openread
• openwrite
• write
• lock

Each timeout has three elements:

• The maximum timeout in milliseconds
• The incremental delay each time the operation is blocked
• A backoff component that can be used to increase the delay time each time the operation blocks

Example

writequeuetimeouts openread=1000,20,1.2 openwrite=5000,20,1.2 write=2000,10,1.0 lock=30000,50,2.0

Default

No default value

Used on

• Policy servers
• Log servers

writequeuepath

• Version 10.0.1 and earlier: writequeuepath setting not available.
• Version 10.1.0 and later: writequeuepath setting available.

The writequeuepath is the absolute path to a directory that will hold all the temporary write queues. This path should have enough disk space to cope with high volumes of data should the message router become unavailable.

Example

writequeuepath /opt/pbul/msgqueue

Default

writequeuepath /opt/<prefix>pbul<suffix>/msgrouter

Used on

• Policy servers
• Log servers

writequeuenum

• Version 10.0.1 and earlier: writequeuenum setting not available.
• Version 10.1.0 and later: writequeuenum setting available.

The writequeuenum setting allows the configuration of the maximum number of write queues that can be stored in the event that the Message Router becomes unavailable. The minimum value of writequeuenum is 10 and the maximum is 9999.

ℹ️

Note

This setting should only be increased in the event of contention due to very high load.

Example

writequeuenum 9999

Default

writequeuenum 999

Used on

• Policy servers
• Log servers

Change management events

Change management events are configured on the client by enabling changemanagementevents in the pb.settings, and on the primary log server by specifying the eventdb setting. This logs all changes to the Configuration and Settings and to the Role Based Policy databases.

When the setting is enabled, all changes require a message, which is logged alongside the username, date/time and the details of the actual change.

The events are sent to the log server defined in the pb.settings and can be retrieved via REST or locally on the log server with the pbdbutil --evt option.

Example

The administrator changes the pb.settings file and reimports it:

# pbdbutil --cfg -m "Change to pb.settings" -i /etc/pb.settings
{"fname":"/etc/pb.settings","version":4}

Then the administrator adds a new Role into the Role Based Policy database:

# pbdbutil --rbp -m "New role" -u '{ "role" : {"id":2,"name":"new role","rorder":2,"description":"new role for admin","disabled":0,"risk":0,"action":"A","iolog":null,"script":null}}'

The Change Management Events can be accessed on the primary log server:

# pbdbutil --evt -s chgmgt
{
"hostname": "pbuild", "evtname": "file_import", "service": "pbdbutil9.0.0-
14", "who": "admin1", "severity": 16, "utc": "2015-05-21 11:53:07",
"progname": "pbdbutil9.0.0-14 ", "version": "9.0.0-14 ", "arch": "x86_
64_linuxA",
"data": {
"fname": "/etc/pb.settings", "version": 4, "msg": "Change to pb.settings",
"sid": 33235, "pid": 34378, "uid": 0
}
}
{
"hostname": "pbuild", "evtname": "put", "service": "pbdbutil9.0.0-14",
"who": "admin1", "severity": 16, "utc": "2015-05-21 11:56:35", "progname":
"pbdbutil9.0.0-14 ", "version": "9.0.0-14_debug", "arch": "x86_64_
linuxA",
"data": {
"id": 2, "description": "new role for admin", "risk": 0, "action": "A",
"name": "new role", "rorder": 2,"disabled": 0, "iolog": null, "script":
null, "sid": 33235, "pid": 34423, "uid": 0
}
}

License events

The licensing system introduced in version 10.0.1 allows the logging of all license history events. This produces an event for every license check, and as such can impose an increased load on all server components. When it is enabled, each policy server, File Integrity Server, Advanced Keystroke Action Server, etc, sends an event to the log server to be logged as specified in eventdestinations.

licensehistory

This setting enables the production of license history events on all servers. The setting is synchronized from the primary license server across the whole EPM-UL installation.

Example

licensehistory yes

Default

licensehistory no

Used on

All servers

File integrity monitor events

The File Integrity Monitor component can be configured to send summary events from reports as an Audit event. The eventdestinations setting details how these events are processed, and can be used to monitor the status of the service. This setting should be specified on all the File Integrity Monitor Policy Servers.

fileintegrityevents

• Version 9.3.0 and earlier: fileintegrityevents setting not available.
• Version 9.4.0 and later: fileintegrityevents setting available.

This setting enables the production of File Integrity Report events, which are logged in the log server.

Example

fileintegrityevents yes

Default

fileintegrityevents no

Used on

All File Integrity Servers

Advanced keystroke action

The Advanced Keystroke Action component can be configured to send events for every successful session, and command run on a remote server or network appliance.

advkeystrokeactionevents

• Version 9.3.3 and earlier: advkeystrokeactionevents setting not available.
• Version 9.4.4 and later: advkeystrokeactionevents setting available.

The advkeystrokeactionevents setting enables the production of Advanced Keystroke Action events, which are logged on the log server.

Example

advkeystrokeactionevents yes

Default

advkeystrokeactionevents no

Used on

All Advanced Keystroke Action servers

advkeystrokeactionpolicydb

• Version 9.4.1 and earlier: advkeystrokeactionpolicydb setting not available.
• Version 9.4.3 and later: advkeystrokeactionpolicydb setting available.

The advkeystrokeactionpolicydb setting defines the path to the Advanced Keystroke Action policy database which stores all the AKA policies.

This file is created in databasedir by default, unless the file name starts with /.

Example

advkeystrokeactionpolicydb        /etc/pbakapolicy.db

Default

advkeystrokeactionpolicydb /opt/<prefix>pbul<suffix>/dbs/pbadvkeystrokeactionpolicy.db

Used on

Advanced Keystroke Action Policy servers

advkeystrokeactioncachedb

• Version 9.4.1 and earlier: advkeystrokeactioncachedb setting not available.
• Version 9.4.3 and later: advkeystrokeactioncachedb setting available.

The advkeystrokeactioncachedb setting defines the path to the Advanced Keystroke Action profile cache database that is kept on the client so that it always has access to the latest AKA profiles.

Example

advkeystrokeactioncachedb        /etc/pbakacache.db

Default

advkeystrokeactioncachedb        /opt/<prefix>pbul<suffix>/dbs/pbadvkeystrokeactioncache.db

Used on

Advanced Keystroke Action clients

advkeystrokeactionlog

• Version 9.4.1 and earlier: advkeystrokeactionlog setting not available.
• Version 9.4.3 and later: advkeystrokeactionlog setting available.

The advkeystrokeactionlog contains the path name of the Advanced Keystroke Action diagnostic log file.

Example

advkeystrokeactionlog /var/log/pbakapolicy.log

Default

No default value

Used on

Advanced Keystroke Action Policy servers

Session logging

EPM-UL records the start of all commands and the finish of all commands not run in local mode. The session start and finish events can also be logged by using the following:

• System wtmp or wtmpx files (recordunixptysessions)
• Syslog system (syslogsessions)
• PAM system (pamsessionservice)

recordunixptysessions

• Version 3.5 and earlier: recordunixptysessions setting not available.
• Version 4.0 and later: recordunixptysessions setting available.

The recordunixptysessions setting controls whether command start and finish events are logged to the run host utmp or utmpx files. When set to yes, the events are logged.

ℹ️

Note

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

Example

recordunixptysessions no

Default

recordunixptysessions yes

Used on

Run hosts

ℹ️

Note

If you are using pamsessionservice, then you might need to set recordunixptysystems to no to avoid duplicate entries in your utmp or utmpx files.

ℹ️

Note

When the login shell is an Endpoint Privilege Management shell and I/O logging is on, an additional pty is created, which is logged in the run host’s utmp log. Note that the ut_host field is set to the run host value, not the remote host, because this pty originated on the run host.

syslogsessions

• Version 4.0.0 and later: syslogsessions setting available.

The syslogsessions setting controls whether command start and finish events are logged to the run host syslog system. When set to yes, the events are logged.

ℹ️

Note

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

Example

syslogsessions yes

Default

syslogsessions no

Used on

Run hosts

ℹ️

Note

If you are using pamsessionservice, then you might need to set syslogsessions to no to avoid duplicate syslog entries.

I/O logging

Endpoint Privilege Management can maintain I/O logs of sessions under control of the configuration policy language. The passwordlogging and rootshelldefaultiolog settings provide additional system-wide control of the I/O logs. On policy server hosts and log hosts, you can control how much file system space is used with the logservedfilesystems and logreservedblocks settings.

Endpoint Privilege Management records I/O logs in log files on the log host or policy server host (if not using a log server).

I/O log indexing and searching

ℹ️

Note

As of version 23.1, Solr is deprecated. EPM-UL no longer supports installing Solr, but features that use an existing Solr installation will continue to work.

In a BeyondInsight integrated environment, using Solr servers, each log server and policy server host can communicate with a Solr server, submitting EPM-UL I/O log output data for indexing.

BeyondInsight provides a search GUI, allowing users to search indexed I/O logs.

iologack

• Version 6.0 and earlier: iologack setting not available.
• Version 6.2.5 and later: iologack setting available.

The iologack setting enables a log host to send an acknowledgement to the submit host after the log host writes each I/O log data segment. Using this setting can prevent data integrity problems and prevent the submit host from hanging when there are network interruptions or if the log host becomes unavailable during an I/O logging session. However, enabling acknowledgements can increase network traffic and degrade system performance.

The submit host waits for acknowledgement for a period of time that is determined by the logserverprotocoltimeout setting. If logserverprotocoltimeout is set to a value other than -1, then the timeout period is 10 seconds. Otherwise, the timeout period is the value of logserverprotocoltimeout.

For acknowledgements to be sent, the iologack setting on the submit host and the log host must both be set to yes.

Example

iologack yes

Default

iologack no

Used on

• Submit hosts
• Log hosts

passwordlogging

• Version 4.0.0 and later: passwordlogging setting available.

It might be desirable to control whether passwords can be logged to a greater extent than using the variable lognopassword alone. Setting passwordlogging to never suppresses all text portions of the input stream that are not echoed in the output stream. This action also sets the configuration policy language variable lognopassword to never and makes it read-only.

Valid values

• allow
• never

Example

passwordlogging allow

Default

passwordlogging never

Used on

• Policy server hosts
• Run hosts
• Submit hosts

📘

For more information, see lognopassword.

rootshelldefaultiolog

• Version 4.0.0 and later: rootshelldefaultiolog setting available.

When root runs an EPM-UL shell (for example, pbsh or pbksh), and a policy server daemon cannot be reached, that shell records an I/O log for the root session. Because no policy server can be reached, rootshelldefaultiolog provides a default emergency I/O log. If the file name is not unique, then EPM-UL adds a unique 6-character suffix to the name.

Example

rootshelldefaultiolog /var/logs/root.default.iolog

Default

rootshelldefaultiolog /pbshell.iolog

Used on

Submit hosts by pbksh and pbsh when a policy server host is not available.

logreservedfilesystems and logreservedblocks

• Version 4.0.0 and later: logreservedfilesystems and logreservedblocks settings available.

The logreservedfilesystems and logreservedblocks settings enable the administrator to control free space on the logreservedfilesystems file systems, and cause an immediate failover if the log host’s free space falls below logreservedblocks.

If the number of free 1KB blocks falls below logreservedblocks on any of the file systems that are specified in any of the logreservedfilesystems on the log host, then the log daemon immediately refuses any new requests, causing an immediate failover. The same happens on the policy server host if you are not using a log server.

If the free space in any of the file systems containing /var/log or /usr/log falls below 10,000 blocks, then new requests are rejected. Requests that are already in progress are allowed to continue.

Example

logreservedfilesystems /var /usr/log
logreservedblocks 2000

Default

logreservedblocks 0

No default value for logreservedfilesystems.

Used on

• Log hosts
• Policy server hosts if a log host is not used

Customized syslog formatting

For syslog logging, you can specify the format and select specific fields to be written to the syslog file for accept, reject, and session syslog messages. This feature simplifies integration with Security Information and Event Management (SIEM) systems that typically rely on the standard syslog format to aggregate event data across many different devices. The settings in this section enable and configure this feature.

For all of these settings, the argument is either none or a text string that includes references to event log variables. If the argument is none, then the corresponding event record is not written to the syslog file. This feature enables you to use the syslog() procedure in the policy without sending duplicate records to the syslog files. If the setting is not included in the pb.settings file, then EPM-UL performs syslog logging with hard-coded accept, reject, and session messages.

To define a string to write to the syslog file, the entire text string must be enclosed in double quotation marks ("). An event log variable must be enclosed in percent character (%). A literal percent or double quotation mark character must be preceded by a back slash (\" and \%, for example). A particular item in a list variable can be referenced with the index number for that list (%argv[1]%, for example).

ℹ️

Note

This feature extends to one level of lists only; multi-level lists are not handled.

When an event that is recognized by one of these settings occurs, the text string is written to the syslog file, and the event log variable references are replaced with the values of those variables for that event. A variable reference that is not recognized is replaced with the string <variable_name:undefined> (<variable_name [n]:undefined> for unrecognized or nonexistent list items).

ℹ️

Note

Customized Syslog Formatting messages over 1,024 characters are truncated.

ℹ️

Note

When Endpoint Privilege Management is installed, if a previous pb.settings file exists without the customized syslog formatting settings specified, then Endpoint Privilege Management adds sample customized syslog formatting settings as comments. You can uncomment and remove the string SAMPLE, and then modify these sample settings.

syslog_accept_format

• Version 6.2 and earlier: syslog_accept_format setting not available.
• Version 7.0 and later: syslog_accept_format setting available.

The syslog_accept_format setting defines the format of the record to be written to the syslog file for accept events.

Example

syslog_accept_format "Endpoint Privilege Management for Unix and Linux Master accepted
%command% on %date% at %hour%:%minute%. The command was submitted by 
%user% on %submithost% and run by %runuser% on %runhost%"

Default

No default value

Used on

Policy server hosts

syslog_reject_format

• Version 6.2 and earlier: syslog_reject_format setting not available.
• Version 7.0 and later: syslog_reject_format setting available.

The syslog_reject_format setting defines the format of the record to be written to the syslog file for reject events.

Example

syslog_reject_format "Endpoint Privilege Management for Unix and Linux Master reject
%command% on %date% at %hour%:%minute%. The command was submitted by %user% on %submithost%"

Default

No default value

Used on

Policy server hosts

syslogsession_start_format

• Version 6.2 and earlier: syslogsession_start_format setting not available.
• Version 7.0 and later: syslogsession_start_format setting available.

The syslogsession_start_format setting defines the format of the record to be written to the syslog file for session start events.

Example

syslog_accept_format "Endpoint Privilege Management for Unix and Linux session started on
%date% at %hour%:%minute%. The session was started by %user%"

Default

No default value

Used on

Run hosts

syslogsession_start_fail_format

• Version 6.2 and earlier: syslogsession_start_fail_format setting not available.
• Version 7.0 and later: syslogsession_start_fail_format setting available.

The syslogsession_start_fail_format setting defines the format of the record to be written to the syslog file for session failed to start events.

Example

syslogsession_start_fail_format "Endpoint Privilege Management for Unix and Linux session failed to start on %date% at %hour%:%minute%. User %user% attempted to start this session."

Default

No default value

Used on

Run hosts

syslogsession_finished_format

• Version 6.2 and earlier: syslogsession_finished_format setting not available.
• Version 7.0 and later: syslogsession_finished_format setting available.

The syslogsession_finished_format setting defines the format of the record to be written to the syslog file for session finished events.

Example

syslogsession_finished_format "Endpoint Privilege Management for Unix and Linux session finished on %date% at %hour%:%minute%. The session was started by %user%"

Default

No default value

Used on

Run hosts

syslogsession_finished_format_logserver

• Version 10.0.1 and later: syslogsession_finished_format_logserver setting available.

The syslogsession_finished_format_logserver setting defines the format of the record to be written to the syslog file for Finish events, from the log server.

Example

syslogsession_finished_format "Task: '%runcommand%' finished at %exitdate% %exittime% as %runuser% on %runhost% with status %exitstatus%"

Default

No default value

Used on

Log servers

AD Bridge event logging

The BeyondTrust AD Bridge product enables you to attach Unix and Linux computers to a Microsoft Active Directory domain and manage them using Group Policies. Endpoint Privilege Management for Unix and Linux can send information about certain events to AD Bridge for logging and reporting purposes. The settings in this section enable and configure the sending of event information to AD Bridge.

loadpbislibs

• Version 6.2 and earlier:loadpbislibs setting not available.
• Version 7.0 and later: loadpbislibs setting available.

The loadpbislibs setting loads the shared AD Bridge library at runtime, regardless of the value of the pbis_event_logging setting, provided that the sharedlibpbisdependencies setting is set with valid values and not set to none.

Example

loadpbislibs yes

Default

loadpbislibs no

Used on

• Submit hosts
• Run hosts
• Policy server hosts
• Log hosts

pbis_event_logging

• Version 6.2 and earlier: pbis_event_logging setting not available.
• Version 7.0 and later: pbis_event_logging setting available.

The pbis_event_logging setting controls the writing of Endpoint Privilege Management for Unix and Linux events (Accept, Reject, Finish, and Keystroke Action) to the AD Bridge event log database. A value of yes enables sending event information to AD Bridge and a value of no disables sending event information to AD Bridge. For this setting to have any effect, the sharedlibpbisdependencies setting must be set with valid values and not set to none.

Example

pbis_event_logging yes

Default

pbis_event_logging no

Used on

• Policy server hosts
• Log hosts

pbis_log_connect_success

• Version 6.2 and earlier: pbis_log_connect_success setting not available.
• Version 7.0 and later: pbis_log_connect_success setting available.

The pbis_log_connect_success setting enables the sending of successful-connection events (to log hosts and policy server hosts) to the AD Bridge event log database. It also controls the posting of an event to AD Bridge if the policy server host is able to connect to the run host. For this setting to have any effect, the sharedlibpbisdependencies setting must be set with valid values and not set to none.

Example

pbis_log_connect_success yes

Default

pbis_log_connect_success no

Used on

• Policy server hosts
• Submit hosts
• Run hosts

pbis_log_failover

• Version 6.2 and earlier: pbis_log_failover setting not available.
• Version 7.0 and later: pbis_log_failover setting available.

The pbis_log_failover setting enables the sending of policy server host and log host failover events to the AD Bridge event log database. It also controls the posting of an event to AD Bridge if the policy server host finds the run host unresponsive. For this setting to have any effect, the sharedlibpbisdependencies setting must be set with valid values and not set to none.

Example

pbis_log_failover yes

Default

pbis_log_failover no

Used on

• Policy server hosts
• Submit hosts
• Run hosts

sharedlibpbisdependencies

• Version 6.2 and earlier:sharedlibpbisdependencies setting not available.
• Version 7.0 and later:sharedlibpbisdependencies setting available.

The sharedlibpbisdependencies setting specifies the shared libraries that are used to send event information to the AD Bridge event log. When set to none or when not set at all, no event information is sent to AD Bridge. If libraries are specified but they fail to load properly, Endpoint Privilege Management for Unix and Linux records an error message and continues to operate without sending event information to AD Bridge.

Example

sharedlibpbisdependencies
/opt/pbis/lib/libeventlog_norpc.so.0.0.0 /opt/pbis/lib/liblwbase_nothr.so.0.0.0

Default

The default value depends on the Endpoint Privilege Management for Unix and Linux flavor and is determined at installation. You can change the value of this setting while running the Endpoint Privilege Management for Unix and Linux installer or by modifying the pb.settings file after installation.

Used on

• Policy server hosts
• Log hosts
• Submit hosts
• Run hosts

BeyondInsight event logging

The BeyondTrust BeyondInsight product enables you to capture and report on privilege and vulnerability data across the entire IT stack (server, desktop, cloud, mobile, and virtualized environments).

Starting with version 7.5, Endpoint Privilege Management for Unix and Linux can send information about certain events to BeyondInsight for logging and reporting purposes.

The settings in this section enable and configure the sending of event information to BeyondInsight.

rcshost

• Version 7.1 and earlier: rcshost setting not available.
• Version 7.5 and later: rcshost setting available.

The hostname of the Windows machine where BeyondInsight is installed. This keyword does not support the Endpoint Privilege Management for Unix and Linux extended settings such as interface.

Example

rcshost W7-RETINACS-01

Default

No default value

Used on

• Policy server hosts
• Log hosts

rcswebsvcport

• Version 7.1 and earlier: rcswebsvcport setting not available.
• Version 7.5 and later: rcswebsvcport setting available.

The port number used to communicate with BeyondInsight Web Services on rcshost.

Example

rcswebsvcport 443

Default

rcswebsvcport 443

Used on

• Policy server hosts
• Log hosts

rcsworkgroup

• Version 7.5 and earlier: rcsworkgroup setting not available.
• Version 8.0 and later: rcsworkgroup setting available.

A label which helps BeyondInsight identify and sort data sent from Endpoint Privilege Management for Unix and Linux.

Example

rcsworkgroup PMULMasterBeyondTrustWorkgroup

Default

rcsworkgroup "BeyondTrust Workgroup"

Used on

Policy server hosts

sslrcscertfile

• Version 7.1 and earlier: sslrcscertfile setting not available.
• Version 7.5 and later: sslrcscertfile setting available.

BeyondInsight Client Certificate File in PEM format. Used to authenticate Endpoint Privilege Management to BeyondInsight when sending event log records.

Example

sslrcscertfile /etc/retinacs-01_eEyeEmsClient.pem

Default

No default value

Used on

• Policy server hosts
• Log hosts

sslrcscafile

• Version 7.1 and earlier: sslrcscafile setting not available.
• Version 7.5 and later: sslrcscafile setting available.

BeyondInsight server-bound Certificate Authority File in PEM format. Used to authenticate the BeyondInsight when sending event log records.

Example

sslrcscafile /etc/retinacs-01_eEyeEmsCA.pem

Default

No default value

Used On

• Policy server hosts
• Log hosts

Log synchronization

Consolidate and merge logs from the log server and the secondary server following a log server failover and log server recovery. Log synchronization is controlled by the logresynctimermin, pbsyncdlog, pbsynclog, and syncport settings. The client also uses log servers and event logs.

logresynctimermin

• Version 4.0 and earlier: logresynctimermin setting not available.
• Version 5.0 and later: logresynctimermin setting available.

When pbsync is started in daemon mode, this variable defines how often the client attempts to resynchronize the files. The time is defined in minutes and can be 5 minutes or greater.

Example

logresynctimermin 15

Default

logresynctimermin 16

Used on

• Log hosts
• Synchronization clients

pbsyncdlog

• Version 4.0 and earlier: pbsyncdlog setting not available.
• Version 5.0 and later: pbsyncdlog setting available.

There will be a unique file to keep track of server transactions. This variable refers to the path and file name for this feature’s log, typically:

/path_to_logs/pbsyncd.log

Example

pbsyncdlog /var/log/pbsyncd.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pbsyncdlog /var/log/pbsyncd.log

pbsyncdlog /usr/log/pbsyncd.log

pbsyncdlog /var/adm/pbsyncd.log

pbsyncdlog /usr/adm/pbsyncd.log

Used on

• Log hosts
• Synchronization clients

pbsynclog

• Version 4.0 and earlier: pbsynclog setting not available.
• Version 5.0 and later: pbsynclog setting available.

There is a unique file to keep track of client transactions. pbsynclog refers to the path and file name for this feature’s log, typically:

/path_to_logs/pbsync.log

Example

pbsynclog /var/log/pbsync.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pbsynclog /var/log/pbsync.log

pbsynclog /usr/log/pbsync.log

pbsynclog /var/adm/pbsync.log

pbsynclog /usr/adm/pbsync.log

Used on

• Log hosts
• Synchronization clients

syncport

• Version 4.0 and earlier: syncport setting not available.
• Version 5.0 and later: syncport setting available.

syncport defines the TCP port number that is used for log synchronization. The port numbers for Endpoint Privilege Management daemons must use the non-reserved system ports. The allowed port numbers are 1024 to 65535 (inclusive).

Example

syncport 24350

Default

syncport 24350

Used on

• Log hosts
• Synchronization clients

syncprotocoltimeout

• Version 5.2 and earlier: syncprotocoltimeout setting not available.
• Version 6.0 and later: syncprotocoltimeout setting available.

After a connection is established between a log synchronization client (pbsync) and server (pbsyncd), the programs perform protocol checks to verify a proper connection. Some types of protocol failures could take a long time to determine (for example., wrong service running on the policy server port, or mismatched encryption types/keys).

The syncprotocoltimeout setting determines the maximum time to wait for protocol completion. If a protocol step does not complete within the specified number of milliseconds, then pbsync stops with an error. A value of -1 indicates no protocol timeout.

Example

syncprotocoltimeout 2000

Default

syncprotocoltimeout -1

Used on

• Log hosts
• Log synchronization hosts

Event queueing of integrated products

EPM-UL sends its events to other products, such as BeyondTrust BeyondInsight, for additional processing to provide added value to users. Starting with v10.1.0, a message router and event scheduler are used to manage the transmission of event data to the integrated products. This architecture comes with additional configuration settings.

integratedproductsqueuedb

• Version 10.0.0 and earlier: integratedproductsqueuedb setting not available.
• Version 10.1.0 and later: integratedproductsqueuedb setting available.

The integratedproductsqueuedb setting specifies the path to the event queue database that holds the event data to be forwarded by the scheduler to the integrated product(s). If a relative path is specified, the databasedir setting is used to derive the full path.

Example

integratedproductsqueuedb /mypath/pbipevent.db

Default

integratedproductsqueuedb /opt/<prefix>pbul<suffix>/dbs/pbintprodq.db

Used on

• Log hosts
• Policy server hosts

autofwdtime

• Version 7.1 and earlier: autofwdtime setting not available.
• Version 7.5 and later: autofwdtime setting available.
• Version 10.1.0 and later: autofwdtime setting available, but usage modified.

The interval, in minutes, that defines how often the scheduler processes the queued events to be forwarded to integrated products (BeyondInsight, for example). If this keyword does not exist in the settings file, it defaults to 20 minutes.

Example

autofwdtime 4

Default

autofwdtime 20

Used on

• Policy server hosts
• Log hosts

BeyondInsight I/O log indexing and searching

Starting with version 7.5, Endpoint Privilege Management can index I/O log files for an improved search capability using BeyondInsight Search GUI. Each log server and policy server host can communicate with a Solr server, submitting I/O log output data for indexing.

BeyondInsight provides a search GUI, allowing users to search indexed I/O logs.

The settings in this section enable and configure the indexing of I/O log files with Solr.

Solrhost

• Version 7.1 and earlier: Solrhost setting not available.
• Version 7.5 and later: Solrhost setting available.

The hostname where the Solr server is installed. This keyword does not support the EPM-ULEPM-L extended settings such as interface.

Example

Solrhost mySolrhost.mydomain

Default

No default value

Solrport

• Version 7.1 and earlier: Solrport setting not available.
• Version 7.5 and later: Solrport setting available.

The port number used to communicate with the Solr server.

Example

Solrport 8443

Default

Solrport 8443

Used on

• Policy server hosts
• Log hosts

Solrvariables

• Version 7.1 and earlier: Solrvariables setting not available.
• Version 7.5 and later: Solrvariables setting available.

A list of EPM-UL policy variables, ending in _pbul that is used as stored data in Solr.

Example

Solrvariables role_pbul list_pbul ticket_pbul

Default

No default value

Used on

• Policy server hosts
• Log hosts

Solrclientkeyfile

• Version 7.1 and earlier: Solrclientkeyfile setting not available.
• Version 7.5 and later: Solrclientkeyfile setting available.

Specifies a PEM format file containing the private key for a Solr client. The Solr server must be configured to have its Java keystore contain the Certificate Authority Certificate (CA cert) that signed the client's public certificate.

Example

Solrclientkeyfile /etc/Solr.myhost.client.key.pem

Default

No default value

Used on

• Policy server hosts
• Log hosts

Solrclientcertfile

• Version 7.1 and earlier: Solrclientcertfile setting not available.
• Version 7.5 and later: Solrclientcertfile setting available.

Specifies a PEM format file containing the public certificate for the Solr client private key. The Solr server must be configured to have its Java keystore contain the Certificate Authority Certificate (CA cert) that signed the client’s public certificate.

Example

Solrclientcertfile /etc/Solr.myhost.client.cert.pem

Default

No default value

Used on

• Policy server hosts
• Log hosts

Solrcafile

• Version 7.1 and earlier: Solrcafile setting not available.
• Version 7.5 and later: Solrcafile setting available.

Specifies a PEM format file containing the Certificate Authority Certificate (CA cert) for the CA that signed the Solr server’s SSL certificate. If this keyword is specified in pb.settings, pbreplay initiates an SSL connection to the Solr server. The Solrport keyword must be set to a port that Solr is using for HTTPS/SSL traffic.

Example

Solrcafile /etc/Solr.myhost.ca.pem

Default

No default value

Used on

• Policy server hosts
• Log hosts

iologactiondb

• Version 9.4.5 and earlier: iologactiondb setting not available.
• Version 10.0 and later: iologactiondb setting available.

Optionally specifies the path and file name of a database used internally to schedule iolog indexing. This prevents too many pbreplay processes from overloading the system. If not specified, the default pbiologaction.db in the database directory is used.

Example

iologactiondb /opt/pbul/dbs/action.db

Default

iologactiondb /opt/<prefix>pbul<suffix>/dbs/pbiologaction.db

Used on

• Policy server hosts
• Log hosts

iologactioninterval

• Version 10.0.0 and earlier: iologactioninterval not available.
• Version 10.0.1 and later: iologactioninterval available.

Optionally specifies the interval at which the scheduler checks to see if I/O logs need to be processed for Solr or iologcloseactions. The default is 60 seconds, and the minimum is 30 seconds.

Example

iologactioninterval 120

Default

iologactioninterval 60

Used on

• Policy server hosts
• Log hosts

iologactionmaxprocs

• Version 9.4.5 and earlier: iologactionmaxprocs not available.
• Version 10.0 and later: iologactionmaxprocs available.

Optionally specifies a limit to the number of simultaneous pbreplay processes that can index I/O logs to Solr. This prevents too many pbreplay processes from overloading the system. If not specified, the default pbiologaction.db in the database directory is used.

Example

iologactionmaxprocs 120

Default

iologactionmaxprocs 4

Used on

• Policy server hosts
• Log hosts

iologactionqueuetimelimit

• Version 10.0.0 and earlier: iologactionqueuetimelimit not available.
• Version 10.0.1 and later: iologactionqueuetimelimit available.

Optionally specifies the time limit, in minutes, that an iolog can be held in the processing queue without a heartbeat from pblogd, before that iolog is marked as ready for Solr or iologcloseaction. The default is 720 minutes (12 hours).

Example

iologactionqueuetimelimit 300

Default

iologactionqueuetimelimit 720

Used on

• Policy server hosts
• Log hosts

iologactionqueuetimeouts

• Version 9.4.5 and earlier: iologactionqueuetimeouts available.
• Version 10.0 and later: iologactionqueuetimeouts available.

The timeout values specified include:

• [openread=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for the open for processing of pblicense write queues.
• [openwrite=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for the open by clients to log transaction.
• [write=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for waiting to write to the write queue.
• [lock=timeout,delta,backoff]: The overall timeout, the spin wait delta and the backoff modifier for waiting for exclusive lock when processing the pblicense write queues.

Example

iologactionqueuetimeouts openread=1000,10,2.0 openwrite=30000,5,1.2 write=30000,5,1.2 lock=30000,5,1.2

Default

No default value

Used on

• Policy server hosts
• Log hosts

iologactionretry

• Version 10.0.0 and earlier: iologactionretry not available.
• Version 10.1.0 and later: iologactionretry available.

Optionally specifies the interval, in minutes, that an iolog must wait for a Solr or iologcloseaction retry. A Solr attempt is requeued in certain recoverable cases, such as when unable to reach the host. An iologcloseaction attempt is requeued if the iologcloseaction script returns -1. This delay allows time for the issue to be potentially resolved before the next attempt. The minimum is 5 minutes and the maximum is 2880 (48 hours).

Example

iologactionretry  300

Default

iologactionretry 20

Used on

• Policy server hosts
• Log hosts

iologindexstorefile

• Version 7.1 and earlier: iologindexstorefile setting not available.
• Version 7.5 through 9.4.5 all OS: iologindexstorefile setting available.
• Version 10.1.0 and later: iologindexstorefile setting not available.

The path and file name of the file used to store I/O log file names that failed to be forwarded to Solr due to an error. This file is periodically scanned by pblogd and the content forwarded to Solr, when the communication with Solr is reestablished.

Example

iologindexstorefile /var/log/pb.iolog.store

Default

iologindexstorefile <default_log_directory>/pb.iolog.store

Used on

• Policy server hosts
• Log hosts

indexcommandtimestamps

• Version 7.1 and earlier: indexcommandtimestamps setting not available.
• Version 7.5 and later: indexcommandtimestamps setting available.

Used to disable command timestamps in the Solr index. Command timestamps in the Solr index can be used to search for commands that happened near a time. These timestamps are enabled by default.

Example

indexcommandtimestamps no

Default

indexcommandtimestamps yes

Used on

• Policy server hosts
• Log hosts

indexlogsizelimit

• Version 9.4.5 and earlier: indexlogsizelimit setting not available.
• Version 10.0 and later: indexlogsizelimit setting available.

Used to set a size limit for I/O logs that can be indexed. The indexlogsizelimit keyword is an integer optionally followed by k|K|m|M|g|G. Any additional characters are ignored.

Example

indexlogsizelimit 60M

Default

No default value

Used on

• Policy server hosts
• Log hosts

pbreplaylog

• Version 7.1 and earlier: pbreplaylog setting not available.
• Version 7.5 and later: pbreplaylog setting available .

pbreplaylog contains the name for pbreplay's diagnostic log file.

Example

pbreplaylog /var/log/pbreplay.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pbreplaylog /var/log/pbreplay.log

pbreplaylog /usr/log/pbreplay.log

pbreplaylog /var/adm/pbreplay.log

pbreplaylog /usr/adm/pbreplay.log

Used on

• Policy server hosts
• Log hosts
• GUI hosts

Solrindextimeout

• Version 9.4.5 and earlier: Solrindextimeout setting not available.
• Version 10.0 and later: Solrindextimeout setting available.

Used to set a time limit for I/O logs being indexed. If Solr indexing exceeds the specified time limit, indexing the current iolog is terminated. The time limit, specified in seconds, takes place for both the connection phase and the sending of each 5MB chunk to Solr. For example, if Solrindextimeout is set to 15, an iolog with 10MB stdout data might take up to 60 seconds connecting and talking to Solr before timing out. If Solrindextimeout is not set, or is set to -1, there is no timeout.

Example

Solrindextimeout 120

Default

Solrindextimeout -1

Used on

• Policy server hosts
• Log hosts

BeyondInsight event and I/O logging common settings

pbadminpath

• Version 7.1 and earlier: pbadminpath setting not available.
• Version 7.5 and later: pbadminpath setting available.

The path where admin binaries reside. This is used by pbmasterd and pblogd to forward events and iologs via pbreplay.

Example

pbadminpath /usr/sbin/

Default

No default value

Used on

• Policy server hosts
• Log hosts
• GUI hosts

sharedlibcurldependencies

• Version 7.1 and earlier: sharedlibcurldependencies setting not available.
• Version 7.5 and later: sharedlibcurldependencies setting available.

Defines the path and file name for libcurl used by the binaries to communicate with Solr server and/or BeyondInsight server. Setting sharedlibcurldependencies requires sharedlibkrb5dependencies and sharedlibssldependencies to be set.

ℹ️

Note

The certificates used for BeyondInsight by EPM-UL must support SHA-256 algorithm which was introduced in SSL v0.9.8.

Therefore starting with v7.5, the SSL libraries shipped with EPM-UL Shared Libraries are SSL libraries v0.9.8. When installing or upgrading, sharedlibssldependencies must be set to:

/usr/lib/beyondtrust/pb/libcrypto.so.1.1 /usr/lib/beyondtrust/pb/libssl.so.1.1

Example

sharedlibcurldependencies /usr/lib/beyondtrust/pb/libcurl.so.4.7.0"

Default

• AIX: /usr/lib/symark/pb/libcurl.a(libcurl.so.4)
• HPUX Itanium: /usr/lib/symark/pb/libcurl.so.7.0
• Linux, Solaris: /usr/lib/symark/pb/libcurl.so.4.3.0

Used on

• Policy server hosts
• Log hosts

loadcurllibs

• Version 7.5 and earlier: loadcurllibs setting not available.
• Version 7.5 and later: loadcurllibs setting available.

Forces the loading of libcurl libraries defined in sharelibcurldependencies.

Example

loadcurllibs yes

Default

loadcurllibs no

Used on

• Policy server hosts
• Log hosts

Diagnostic logging

pblogd, pbrun, pbmasterd, pblocald, pblogd, pbksh, pbsh, and can produce diagnostic messages that can be stored in individual files.

kshlog

• Version 3.5 and earlier: kshlog setting not available.
• Version 4.0 and later: kshlog setting available.

kshlog contains the name of the pbksh diagnostic log file.

Example

kshlog /var/log/pbksh.log

Default

During the install, depending on the operating system standards, this can be any of the following:

kshlog /var/log/pbksh.log

kshlog /usr/log/pbksh.log

kshlog /var/adm/pbksh.log

kshlog /usr/adm/pbksh.log

Used on

Submit hosts

pblocaldlog

• Version 4.0.0 and later: pblocaldlog setting available.

pblocaldlog contains the name of the pblocald diagnostic log file.

ℹ️

Note

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

Example

pblocaldlog /var/log/pblocald.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pblocaldlog /var/log/pblocald.log

pblocaldlog /usr/log/pblocald.log

pblocaldlog /var/adm/pblocald.log

pblocaldlog /usr/adm/pblocald.log

Used on

Run hosts

pblogdlog

• Version 4.0.0 and later: pblogdlog setting available.

pblogdlog contains the name of the pblogd diagnostic log file.

Example

pblogdlog /var/log/pblogd.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pblogdlog /var/log/pblogd.log

pblogdlog /usr/log/pblogd.log

pblogdlog /var/adm/pblogd.log

pblogdlog /usr/adm/pblogd.log

Used on

Log hosts

pbmasterdlog

• Version 4.0.0 and later: pbmasterdlog setting available.

pbmasterdlog contains the name of the pbmasterd diagnostic log file.

Example

pbmasterdlog /var/log/pbmasterd.log

Default

During the install, depending on the operating system standards, this can be any of the following:

pbmasterdlog /var/log/pbmasterd.log

pbmasterdlog /usr/log/pbmasterd.log

pbmasterdlog /var/adm/pbmasterd.log

pbmasterdlog /usr/adm/pbmasterd.log

Used on

Policy server hosts

pbrunlog

• Version 4.0.0 and later: pbrunlog setting available.

pbrunlog contains the name of the pbrun diagnostic log file.

Example

pbrunlog /var/log/pbrun.log

Default

No default value

Used on

Submit hosts

pbpinglog

• Version 6.2 and earlier: pbpinglog setting not available.
• Version 7.0 and later: pbpinglog setting available.

pbpinglog contains the name of the pbping diagnostic log file.

Example

pbpinglog /var/log/pbping.log

Default

No default value

Used on

Policy server hosts

shlog

• Version 3.5 and earlier: shlog setting not available.
• Version 4.0 and later: shlog setting available.

shlog contains the name of the pbsh diagnostic log file.

Example

shlog /var/log/pbsh.log

Default

During the install, depending on the operating system standards, this can be any of the following:

shlog /var/log/pbsh.log

shlog /usr/log/pbsh.log

shlog /var/adm/pbsh.log

shlog /usr/adm/pbsh.log

Used on

Submit hosts

enabletraceonexit

• Version 22.2.0 and later: enabletraceonexit setting available.

Controls extended diagnostic logging when certain error conditions are encountered.

This should only be used in coordination with BeyondTrust Technical Support.

This is disabled (set to no) by default.

Example

enabletraceonexit yes

Default

no

Used on

All EPM-UL hosts

pbadminlog

• Version 22.1 and earlier: pbadminlog setting not available.
• Version 22.2 and later: pbadminlog available.

The pbadminlog setting defines the pathname of the log file containing any diagnostics messages generated when running the pbadmin program.

ℹ️

Note

pbadmin is the same program as pbdbutil, which may still be referenced in this documentation.

The pbadmin program is used during the installation of EPM-UL. Immediately after running pbinstall for the first time on a host, you may find this log entry which can be ignored:

3887.22 Error retrieving license - Failed to retrieve your license

Example

Depending on the operating system standards, this can be any of the following:

/var/log/<prefix>pbadmin.log<suffix>

/var/adm/<prefix>pbadmin.log<suffix>

/usr/adm/<prefix>pbadmin.log<suffix>

Default

pbadminlog /var/log/pbadmin.log

Used on

All hosts