Access Gateway sudo audit log

Access Gateway audits sudo command usage by logging all events to the sudoers.log.

The sudo log contains audit events for every sudo use. Sudo audit events can be downloaded and reviewed. The log is downloaded to{instance name}/audit/sudoers.log.

Sudoer log fields

Field	Description
Timestamp	Current system date and time (for example, Dec 2 13:00:11).
Separator	: (colon)
Account	The account of the user initiating the command (for example, oag-mgmt).
Separator	:
Terminal	Terminal used when running the command (for example, TTY=pts/1).
Separator	; (Semi-colon)
Working directory	Working directory when then command was executed (for example, PWD=/home/oag-mgmt).
Separator	;
User	Same as Account.
Command	Command executed with arguments (for example, COMMAND=/opt/oag/bin/updateCert.sh -f).

Example events

Dec 2 13:00:13 : oag-mgmt : TTY=pts/1 ; PWD=/home/oag-mgmt ; USER=root ; COMMAND=/opt/oag/bin/updateCert.sh -f Dec 2 13:01:02 : root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/sbin/nginx -t Dec 2 13:02:02 : root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/sbin/nginx -t

Access Gateway sudo audit log

Sudoer log fields

Example events

Related Topics