search cancel

PAMSC - Can I send kbl.audit events to a collector system or syslog

book

Article ID: 42551

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

The kbl or User session logging allows you to trace user activities on the endpoint and log them to the kbl.audit file. How can I send kbl.audit events to a collector system separate from the seos.audit logs? 

 

 

Environment

PAM Server Control 14.x

Resolution

You can setup a second instance of selogrd to read the kbl.audit file and send those events to a collector. The original selogrcd is receiving seos.audit events from the endpoints.  The commands below will update the seos.ini and will allow the 2nd selogrd to start when PAMSC  starts. It will read the logs defied in the -audit option and based on the -config file it will send the logs over The kblselogrd.cfg will have the same format as the standard selogrd.cfg file

 

create kblselogrd.cfg

vi /opt/CA/PAMSC/log/kblselogrd.cfg

add  a simply rule like below. This rule will tell the selogrd deamon to send the data it reads to the syslog process.

     Rule#1
     syslog LOG_INFO
     .

After saving the file you can stop all services with a secons -S

Run this command to automatically update the seos.ini with the appropriate information

seini -s daemons.kbl_selogrd "yes, /opt/CA/PAMSC/bin/selogrd -audit /opt/CA/PAMSC/log/kbl.audit -config /opt/CA/PAMSC/log/kblselogrd.cfg -data /opt/CA/PAMSC/log/kbl_logroute.dat"
The token daemons.kbl_selogrd, now set to 'yes, /opt/CA/PAMSC/bin/selogrd -audit /opt/CA/PAMSC/log/kbl.audit -config /opt/CA/PAMSC/log/kblselogrd.cfg -data /opt/CA/PAMSC/log/kbl_logroute.dat'.

[[email protected] x# seload
CA Privileged Access Manager Server Control seload v14.10.0.1633 - Loader Utility
Copyright (c) 2018 CA. All rights reserved.
22 Oct 2021 21:16:08> WAKE_UP : Server going up
22 Oct 2021 21:16:08> INFO    : Filter mask: 'WATCHDOG*' is registered
22 Oct 2021 21:16:08> INFO    : Filter mask: 'INFO    : Setting PV*' is registered
22 Oct 2021 21:16:08> INFO    : Filter mask: 'INFO    : DB*' is registered
22 Oct 2021 21:16:08> INFO    : Filter mask: '*seosd.trace*' is registered
22 Oct 2021 21:16:08> INFO    : Filter mask: '*FILE*secons*(*/log/*)*' is registered
Starting seosd. PID = 14649.
Checking database ...
Starting seagent. PID = 14652
seagent: Loading database image...
Starting seoswd. PID = 14656
seagent: Initialization phase completed
KBL Audit Manager started. PID=14658
Executing [daemons] command: /opt/CA/PAMSC/bin/selogrd
Starting selogrd. PID = 14661
[[email protected] log]#

 

On the host that will be running selogrcd to collect these kbl events I would recommend you change the name of the collect file to something like kbl.collect.audit over the standard seos.collect.audit. You will also need to update so that it runs on startup.