One Identity Safeguard for Privileged Sessions (SPS) can index the contents of audit trails using its own indexer service or external indexers. Indexing extracts the text from the audit trails and segments it to tokens. A token is a segment of the text that does not contain whitespace: for example words, dates (2009-03-14), MAC or IP addresses, and so on. The indexer returns the extracted tokens to SPS, which builds a comprehensive index from the tokens of the processed audit trails.
Once indexed, the contents of the audit trails can be searched from the web interface. SPS can extract the commands typed and the texts seen by the user in terminal sessions, and text from graphical protocols like RDP, Citrix ICA, and VNC. Window titles are also detected.
SPS has an internal indexer, which runs on the SPS appliance. In addition to the internal indexer, external indexers can run on Linux hosts.
Processing and indexing audit trails requires significant computing resources. If you have to audit lots of connections, or have a large number of custom reports configured, consider using an external indexer to decrease the load on SPS. For sizing recommendations, ask your One Identity partner or contact our Support Team.
-
The internal indexer service runs on the SPS appliance. It supports languages based on the Latin-, Greek- and Cyrillic alphabets, as well as Chinese, Japanese and Korean languages, allowing it to recognize texts from graphical audit trails in 100+ languages. It can also generate screenshots for content search results.
-
The external indexer runs on Linux hosts and instances. It uses the same engine as the indexer service of SPS, and has the same capabilities and limitations.
SPS can work with multiple external indexers to process audit trails.
NOTE: The version of the external indexer must be equal to or greater than the version of One Identity Safeguard for Privileged Sessions (SPS). To make sure you meet this criterion, One Identity recommends that you always upgrade your external indexer when you upgrade SPS. You can check that SPS has established a connection to the external indexer on the Indexer > Worker status page of the SPS web interface.
NOTE: If a text is displayed for less than 1 second, it is not indexed.
If you have indexed trails, the index is archived every 30 days.
|
Caution:
Hazard of data loss! Make sure you also back up your data besides archiving it. For more information, see Data and configuration backups. If a system crash occurs, you can lose up to 30 days of index, since the index is only archived every 30 days. |
-
To configure SPS to index the entire content of the audited connections, complete Configuring the internal indexer.
Indexing also needs to be enabled in the connection policy of the monitored connections.
-
To configure external indexers, complete Configuring external indexers.
-
To monitor the status of the servers indexing the audit trails, see Monitoring the status of the indexer services.
-
To create custom reports from the contents of the audit trails, complete Creating reports from audit trail content.
Reindex audit trails
In certain cases, reindexing already indexed audit trails might be necessary, for example, if the audit trails were indexed without full screen content but you still need to search in the screen content. In this case, the audit trails can be reindexed with a different indexer configuration to perform screen content extraction. For more information, contact our Support Team.