HomeDocumentationAPI Reference
Log In
These docs are for v17. Click to read the latest docs for v33.

How does PrivX create log data on user access to target hosts?
By default, the audit events end up in file /var/log/messages. CEF uses LOCAL6 for logging.

How do you see which user (identity) has accessed the host in host log data?
When using certificate-based authentication, the user identity is logged in the sshd logs on the target host. For example, when PrivX user ’superuser' logs in to target host as 'ec2-user’, /var/log/secure on target host logs it as follows:

Sep 17 07:15:07 ip-172-31-49-149 sshd[21275]: Accepted publickey for ec2-user from 195.20.116.1 port 3403 ssh2: RSA-CERT ID [email protected]:43836 serial 1059239823051326577 (serial 1059239823051326577) CA RSA SHA256:OmlS4VhEqBoGpm9AzgSYrvOaGSJyfot3Zf2ANMoY9So

How do you see user ID on the host log data when the user has accessed target host via a role in PrivX?
Here is an example log entry:

Jun 13 12:41:32 privx-bug-squash-host.novalocal SSH-PRIVX-AUDIT[11992]: [event="File-upload" eventID="320" connectionID="d12598fc-915a-49c8-55b8-d301d42d082a" connectionType="ssh" hostAddress="10.11.0.46:22" hostUuid="a04b10f4-c9e9-49bd-76b2-5cfdcc2f63e0" path="/root/ssh_targets.png" sessionID="5fd2447a-ff4e-4384-7ec3-79b908fc5bed" size="0" targetUsername="root" userID="1da90209-2072-44f6-a65d-0ba9880836c1"]”

Can PrivX monitor which files were transferred?
Yes, the audit logs include file transfer events and has the info on the filename and who transferred the file. With auditing enabled, you may also download the transferred files.