Access Gateway sudo audit log

Access Gateway audits sudo command usage by logging all events to the sudoers.log.

The sudo log contains audit events for every sudo use. Sudo audit events can be downloaded and reviewed. The log is downloaded to{instance name}/audit/sudoers.log.

Sudoer log fields

Field

Description

Timestamp Current system date and time (for example, Dec 2 13:00:11).
Separator : (colon)
Account The account of the user initiating the command (for example, oag-mgmt).
Separator :
Terminal Terminal used when running the command (for example, TTY=pts/1).
Separator ; (Semi-colon)
Working directory Working directory when then command was executed (for example, PWD=/home/oag-mgmt).
Separator ;
User Same as Account.
Command

Command executed with arguments (for example, COMMAND=/opt/oag/bin/updateCert.sh -f).

Example events

Dec 2 13:00:13 : oag-mgmt : TTY=pts/1 ; PWD=/home/oag-mgmt ; USER=root ; COMMAND=/opt/oag/bin/updateCert.sh -f Dec 2 13:01:02 : root : TTY=pts/0 ; PWD=/root ; USER=root ; COMMAND=/sbin/nginx -t Dec 2 13:02:02 : root : TTY=unknown ; PWD=/root ; USER=root ; COMMAND=/sbin/nginx -t