In BoKS 6.6.2, new log labels were introduced to improve logging relating to keystroke logs. The default list of Alarm Events in $BOKS_etc/alarmlogs has not been updated with these changes, meaning these new log messages will not be handled as Alarm Events.

Reference Information

The full list of log labels available is located in $BOKS_etc/mess.d/log.eng. In order to keep the same behavior as in older versions of BoKS than 6.6.2, the new log labels need to be added to the list of Alarm Events in $BOKS_etc/alarmlogs - if your current configuration lists the corresponding labels without the trailing "2". These are the labels available as of 6.7.1 (both keystroke logging and audit logging have been completely redesigned in BoKS 7.0, meaning this is not a problem in 7.0 and later versions):

kslog_file_not_found "The Keystroke logfile %s could not be found on host %s."
kslog_file_unzip_failed "Failed to unzip kslog report %s"

kslog_file_not_fetched2 "The Keystroke logfile %s from %s could not be transferred"
kslog_restore_fail2 "Failed to restore kslog file: %s: %s. Check that the disk is not full."
kslog_checksum_failed2 "The Keystroke logfile %s from %s failed checksum test"

kslog_stale_file_boot "kslog file found after boot. State=%s file=%s cksum=%s pid=%d"
kslog_bad_timestamp2 "Keystroke log on host %s with pid %s has a timestamp %s seconds in the future."
kslog_long_active_session2 "Keystroke log on host %s with pid %s has been active longer than %s hours."
kslog_retrieve_stale2 "Failed to finalize and retrieve stale keystroke log on host %s with pid %s.

kslog_stale_file_encr_boot "Encrypted kslog file found after boot. Encrypted state=%s file=%s.pk7 cksum=%s pid=%d"

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019