---
title: BeyondTrust Privileged Remote Access
description: Gain insights into BeyondTrust Privileged Remote Access logs.
breadcrumbs: Docs > Integrations > BeyondTrust Privileged Remote Access
---

# BeyondTrust Privileged Remote Access
Supported OS Integration version1.0.0
{% callout %}
# Important note for users on the following Datadog sites: us2.ddog-gov.com

{% alert level="info" %}
To find out if this integration is available in your organization, see your [Datadog Integrations](https://app.datadoghq.com/integrations) page or ask your organization administrator.

To initiate an exception request to enable this integration for your organization, email [support@ddog-gov.com](mailto:support@ddog-gov.com).
{% /alert %}

{% /callout %}
            BeyondTrust PRA OverviewBeyondTrust PRA OverviewBeyondTrust PRA Authentication and Access ManagementBeyondTrust PRA Authentication and Access ManagementBeyondTrust PRA Network & Platform SecurityBeyondTrust PRA Network & Platform SecurityBeyondTrust PRA Identity and User ActivityBeyondTrust PRA Identity and User Activity
## Overview{% #overview %}

[BeyondTrust Privileged Remote Access](https://www.beyondtrust.com/products/privileged-remote-access) securely manages and controls remote access to critical systems for privileged users, such as administrators, IT personnel, and third-party vendors.

Integrate BeyondTrust Privileged Remote Access with Datadog to gain insights into BeyondTrust Privileged Remote Access logs using pre-built dashboard visualizations. Datadog uses its built-in log pipelines to parse and enrich these logs, facilitating easy search and detailed insights. The integration can also be used for Cloud SIEM detection rules for enhanced monitoring and security.

**Minimum Agent version:** 7.77.0

## Setup{% #setup %}

### Prerequisites{% #prerequisites %}

- `rsyslog` (version 8.2302 or higher) with valid TLS certificates present on the server.

### Configuration{% #configuration %}

#### Configure File Rotation Script{% #configure-file-rotation-script %}

1. Create the script file.

   ```shell
   sudo mkdir -p /etc/rsyslog.d/scripts
   sudo vi /etc/rsyslog.d/scripts/file_rotate.sh
   ```

1. Add the following content to the script:

   ```shell
   #!/bin/bash
   
   LOGFILE="/var/log/rsyslog_logs/beyondtrust_pra.log"
   
   last_line=$(tail -n 1 "$LOGFILE")
   
   num1=$(echo "$last_line" | grep -oE '[0-9]+:[0-9]+:[0-9]+' | tail -n 1 | cut -d: -f2)
   num1=$(printf "%d" "$num1")
   LAST_LINES=$(tail -n "$num1" "$LOGFILE")
   
   # Capture permissions, owner, group
   PERMS=$(stat -c "%a" "$LOGFILE")
   OWNER=$(stat -c "%U" "$LOGFILE")
   GROUP=$(stat -c "%G" "$LOGFILE")
   
   # Remove the original file
   rm -f "$LOGFILE"
   
   # Recreate file with same permissions
   touch "$LOGFILE"
   chmod "$PERMS" "$LOGFILE"
   chown "$OWNER:$GROUP" "$LOGFILE"
   
   # Write back the last lines
   printf "%s\n" "$LAST_LINES" > "$LOGFILE"
   ```

1. Set Ownership and Permissions for Scripts

   ```shell
   sudo chown -R syslog:syslog /etc/rsyslog.d/scripts
   sudo chmod 777 /etc/rsyslog.d/scripts
   sudo chmod 500 /etc/rsyslog.d/scripts/file_rotate.sh
   ```

#### Certificate Directory Setup{% #certificate-directory-setup %}

Store the TLS certificates in the directory using the file names mentioned in the table below. These files will be referenced directly in the rsyslog configuration.

```shell
sudo mkdir -p /etc/rsyslog.d/certs
```

| Filename      | Description                                                                        |
| ------------- | ---------------------------------------------------------------------------------- |
| rootCA.pem    | Certificate authority (CA) certificate that signed the rsyslog server certificate. |
| fullchain.pem | rsyslog server certificate along with any required intermediate certificates.      |
| server.key    | Private key corresponding to the rsyslog server certificate                        |

Set ownership and permissions so that the syslog user can access the certificates.

```shell
sudo chown -R syslog:syslog /etc/rsyslog.d/certs
sudo chmod -R 500 /etc/rsyslog.d/certs
```

#### Configure rsyslog{% #configure-rsyslog %}

1. Open the main configuration file.
   ```shell
   sudo vi /etc/rsyslog.conf
   ```
1. Add the following TLS settings to receive BeyondTrust PRA logs:Replace the `<RSYSLOG_TCP_PORT>`, `<DATADOG_AGENT_IP>`, and `<DATADOG_AGENT_PORT>` with actual values.
   ```shell
   module(load="imfile")
   
   $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
   $FileCreateMode 0640
   $DirCreateMode 0550
   $Umask 0022
   
   $MaxMessageSize 64k
   $IncludeConfig /etc/rsyslog.d/*.conf
   
   global(
     DefaultNetstreamDriver="gtls"
     DefaultNetstreamDriverCAFile="/etc/rsyslog.d/certs/rootCA.pem"
     DefaultNetstreamDriverCertFile="/etc/rsyslog.d/certs/fullchain.pem"
     DefaultNetstreamDriverKeyFile="/etc/rsyslog.d/certs/server.key"
   )
   
   module(
     load="imtcp"
     StreamDriver.Name="gtls"
     StreamDriver.Mode="1"
     StreamDriver.Authmode="anon"
   )
   
   input(
   type="imtcp"
   port="<RSYSLOG_TCP_PORT>"
   ruleset="write_to_file"
   )
   
   input(
     type="imfile"
     File="/var/log/rsyslog_logs/beyondtrust_pra.log"
     readTimeout="30"
     startmsg.regex="(<[0-9]+>)?[A-Za-z]{3}[[:space:]]+[0-9]{1,2}[[:space:]]+[0-9]{2}:[0-9]{2}:[0-9]{2}[[:space:]]+[^[:space:]]+[[:space:]]+[A-Z]+\\[[0-9]+\\][[:space:]]+[0-9]+:01.*"
     ruleset="forward_merged"
     Tag="agg:"
     Facility="local0"
   )
   
   ruleset(name="write_to_file") {
     action(
       type="omfile"
       file="/var/log/rsyslog_logs/beyondtrust_pra.log"
       createDirs="on"
       rotation.sizeLimit="50000000"  # 50 MB
       rotation.sizeLimitCommand="/etc/rsyslog.d/scripts/file_rotate.sh"
     )
   }
   
   template(name="log_message" type="string" string="%msg%\n")
   ruleset(name="forward_merged") {
     action(type="omfwd" target="<DATADOG_AGENT_IP>" port="<DATADOG_AGENT_PORT>" protocol="tcp" template="log_message")
   }
   ```
1. Restart the rsyslog server
   ```shell
   sudo systemctl restart rsyslog
   ```

#### Log Collection{% #log-collection %}

1. Collecting logs is disabled by default in the Datadog Agent. Enable it in the `datadog.yaml` file with:

   ```yaml
   logs_enabled: true
   ```

1. Add this configuration block to your `beyondtrust_privileged_remote_access.d/conf.yaml` file to start collecting your BeyondTrust Privileged Remote Access logs:

   ```yaml
   logs:
     - type: tcp
       port: <PORT>
       source: beyondtrust-privileged-remote-access
       log_processing_rules:
         - type: include_at_match
           name: include_pra_logs
           pattern: 'BG'
         - type: mask_sequences
           name: remove_subsequent_segment_headers
           replace_placeholder: ""
           pattern: '\\n(<\d+>)?\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\w+\s+[A-Z]+\[\d+\]\s+\d+:([0-9])?[2-9]+:\d+:'
   ```

See the sample configuration file ([beyondtrust_privileged_remote_access.d/conf.yaml](https://github.com/DataDog/integrations-core/blob/master/beyondtrust_privileged_remote_access/datadog_checks/beyondtrust_privileged_remote_access/data/conf.yaml.example)) for available options.

**Note**: Do not change the `source` value, as this parameter is integral to the pipeline's operation.

1. [Restart the Agent](https://docs.datadoghq.com/agent/guide/agent-commands.md#start-stop-and-restart-the-agent).

### Configure syslog message forwarding from BeyondTrust Privileged Remote Access{% #configure-syslog-message-forwarding-from-beyondtrust-privileged-remote-access %}

1. Sign in to the [**BeyondTrust B Series Appliance**](https://app.beyondtrust.io/pra/login/appliance).
1. From the top navigation menu, go to **Security > Appliance Administration**.
1. Enter the following details for the syslog configuration:
   - **Remote Syslog Server:** Enter the IP address or hostname of the rsyslog server.
   - **Message Format:** Select **Syslog over TLS (RFC 5425)**.
   - **Port:** Specify the port number on which the rsyslog server is listening.
   - **Trusted Certificate:** Upload the `rootCA.pem` certificate, which is used to secure the TLS connection to the rsyslog server.
1. Click **Submit**.

### Validation{% #validation %}

[Run the Agent's status subcommand](https://docs.datadoghq.com/agent/guide/agent-commands.md#agent-status-and-information) and look for `beyondtrust-privileged-remote-access` under the Logs Agent section.

## Data Collected{% #data-collected %}

### Logs{% #logs %}

The BeyondTrust Privileged Remote Access integration collects `Authentication & Authorization`, `User & Account Management`, `Group & Policy Management`, `Jumpoint & Remote Access Management`, `Network Configuration`, `Cryptography & Secrets Protection`, `Reporting & Compliance Evidence`, and `API & Integration Management` logs.

### Metrics{% #metrics %}

The BeyondTrust Privileged Remote Access does not include any metrics.

### Events{% #events %}

The BeyondTrust Privileged Remote Access integration does not include any events.

## Troubleshooting{% #troubleshooting %}

Need help? Contact [Datadog support](https://docs.datadoghq.com/help/).