The kbl or User session logging allows you to trace user activities on the endpoint and log them to the kbl.audit file. How can I send kbl.audit events to a collector system separate from the seos.audit logs?
PAM Server Control 14.x
You can setup a second instance of selogrd to read the kbl.audit file and send those events to a collector. The original selogrcd is receiving seos.audit events from the endpoints. The commands below will update the seos.ini and will allow the 2nd selogrd to start when PAMSC starts. It will read the logs defied in the -audit option and based on the -config file it will send the logs over The kblselogrd.cfg will have the same format as the standard selogrd.cfg file
add a simply rule like below. This rule will tell the selogrd deamon to send the data it reads to the syslog process.
After saving the file you can stop all services with a secons -S
Run this command to automatically update the seos.ini with the appropriate information
On the host that will be running selogrcd to collect these kbl events I would recommend you change the name of the collect file to something like kbl.collect.audit over the standard seos.collect.audit. You will also need to update so that it runs on startup.