The kbl or User session logging allows you to trace user activities on the endpoint and log them to the kbl.audit file. How can I send kbl.audit events to a collector system separate from the seos.audit logs?
PAM Server Control 14.x
You can setup a second instance of selogrd to read the kbl.audit file and send those events to a collector. The original selogrcd is receiving seos.audit events from the endpoints. The commands below will update the seos.ini and will allow the 2nd selogrd to start when PAMSC starts. It will read the logs defied in the -audit option and based on the -config file it will send the logs over The kblselogrd.cfg will have the same format as the standard selogrd.cfg file
create kblselogrd.cfg
vi /opt/CA/PAMSC/log/kblselogrd.cfg
add a simply rule like below. This rule will tell the selogrd deamon to send the data it reads to the syslog process.
Rule#1
syslog LOG_INFO
.
After saving the file you can stop all services with a secons -S
Run this command to automatically update the seos.ini with the appropriate information
seini -s daemons.kbl_selogrd "yes, /opt/CA/PAMSC/bin/selogrd -audit /opt/CA/PAMSC/log/kbl.audit -config /opt/CA/PAMSC/log/kblselogrd.cfg -data /opt/CA/PAMSC/log/kbl_logroute.dat"
The token daemons.kbl_selogrd, now set to 'yes, /opt/CA/PAMSC/bin/selogrd -audit /opt/CA/PAMSC/log/kbl.audit -config /opt/CA/PAMSC/log/kblselogrd.cfg -data /opt/CA/PAMSC/log/kbl_logroute.dat'.
[root@rhel4 x# seload
CA Privileged Access Manager Server Control seload v14.10.0.1633 - Loader Utility
Copyright (c) 2018 CA. All rights reserved.
22 Oct 2021 21:16:08> WAKE_UP : Server going up
22 Oct 2021 21:16:08> INFO : Filter mask: 'WATCHDOG*' is registered
22 Oct 2021 21:16:08> INFO : Filter mask: 'INFO : Setting PV*' is registered
22 Oct 2021 21:16:08> INFO : Filter mask: 'INFO : DB*' is registered
22 Oct 2021 21:16:08> INFO : Filter mask: '*seosd.trace*' is registered
22 Oct 2021 21:16:08> INFO : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Starting seosd. PID = 14649.
Checking database ...
Starting seagent. PID = 14652
seagent: Loading database image...
Starting seoswd. PID = 14656
seagent: Initialization phase completed
KBL Audit Manager started. PID=14658
Executing [daemons] command: /opt/CA/PAMSC/bin/selogrd
Starting selogrd. PID = 14661
[root@rhel4 log]#
On the host that will be running selogrcd to collect these kbl events I would recommend you change the name of the collect file to something like kbl.collect.audit over the standard seos.collect.audit. You will also need to update so that it runs on startup.