Logout Event

Valid on UNIX
capamsc141
Valid on UNIX
Logout events describe an attempt to log out from 
PAM Server Control
or a 
PAM Server Control
protected host.
Logout events are only supported on UNIX. 
PAM Server Control
does not actually intercept logout. Instead, it assumes logout occurs when the last process for the session terminates.
Audit records in this event have the following format:
Date Time Status Event UserName SessionID Details Reason Terminal AuditFlags
  • Date
    Identifies the date the event occurred.
    Format:
    DD MMM YYYY
     
    PAM Server Control
    Endpoint Management formats the date display according to your computer's settings.
  • Time
    Identifies the time the event occurred.
    Format:
    HH:MM:SS
     
    PAM Server Control
    Endpoint Management formats the time display according to your computer's settings.
  • Status
    Indicates that a user logout occurred.
    Value:
    O (Logout)
  • Event
    Identifies the type of event this record belongs to.
     
    PAM Server Control
    Endpoint Management refers to this field simply as
    Event
    .
  • UserName
    Identifies the name of the accessor that performed the action that triggered this event.
  • SessionID
    Identifies the accessor's session ID.
    By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command.
  • Details
    Indicates at which stage
    PAM Server Control
    decided what action to take for this event.
    The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    PAM Server Control
    Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Reason
    Indicates the reason that 
    PAM Server Control
    wrote an audit record.
    This field does not display in a detailed seaudit output or in 
    PAM Server Control
    Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.
  • Terminal
    Identifies the name of the terminal that the accessor used to connect to the host.
  • AuditFlags
    Indicates whether the accessor is internal (
    PAM Server Control
    database user) or an enterprise user.
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Logout Event Message
The following audit record was taken from a detailed seaudit output.
29 Jan 2009 17:23:33 O LOGOUT root 49 2 computer.com Event type: Logout Status: Logout User name: root Terminal: computer.com Date: 29 Jan 2009 Time: 17:23 Details: Logout detected after last process terminated Audit flags: AC database user
This audit record indicates that on January 29th 2009, 
PAM Server Control
detected that the last session process for the user root working on the remote terminal computer.com has closed, and so assumes that the user logged out of the system (authorization stage code 49Logout detected after last process terminated).