To most effectively search in the contents of the audit trails, make sure that the following prerequisites are met:
-
Indexing was enabled in the connection policy related to the audit trail during the session, and
-
the audit trail has already been indexed.
You can use the following in content search:
-
wildcards
-
boolean expressions
-
search in the commands of terminal connections (for example, command:"sudo su")
-
search in the window titles of graphical connections (for example, title:settings)
The following sections provide examples for different search queries.
For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
Searching for exact matches
By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
Example: Searching for exact matches
| Search expression |
example |
| Matches |
example |
| Does not match |
examples
example.com
query-by-example
exam |
To search for an exact phrase, enclose the search keywords in double quotes.
| Search expression |
"example command" |
| Matches |
example command |
| Does not match |
example
command
example: command |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression |
C\:\\Windows |
| Matches |
C:\Windows |
Combining search keywords
You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,
Example: Combining keywords in search
| Search expression |
keyword1 AND keyword2 |
| Matches |
(returns hits that contain both keywords) |
| Search expression |
keyword1 OR keyword2 |
| Matches |
(returns hits that contain at least one of the keywords) |
| Search expression |
"keyword1 keyword2" NOT "keyword2 keyword3" |
| Matches |
(returns hits that contain the first phrase, but not the second) |
| Search expression |
+keyword1 keyword2 |
| Matches |
(returns hits that contain keyword1, and may contain keyword2) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".
Example: Using parentheses in search
Use parentheses to create more complex search expressions:
| Search expression |
(keyword1 OR keyword2) AND keyword3 |
| Matches |
(returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3) |
Using wildcard searches
You can use the ? and * wildcards in your search expressions.
Example: Using wildcard ? in search
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
You cannot use a * or ? symbol as the first character of a search.
| Search expression |
example? |
| Matches |
example1
examples
example? |
| Does not match |
example.com
example12
query-by-example |
| Search expression |
example?? |
| Matches |
example12 |
| Does not match |
example.com
example1
query-by-example |
Example: Using wildcard * in search
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.
| Search expression |
example* |
| Matches |
example
examples
example.com |
| Does not match |
query-by-example
example* |
Example: Using combined wildcards in search
Wildcard characters can be combined.
| Search expression |
ex?mple* |
| Matches |
example1
examples
example.com
exemple.com
example12 |
| Does not match |
exmples
query-by-example |
Searching for special characters
To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
Example: Searching for special characters
To search for a special character, use a backslash (\).
| Search expression |
example\? |
| Matches |
example? |
| Does not match |
examples
example1 |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression |
C\:\\Windows |
| Matches |
C:\Windows |
To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).
| Search expression |
\/var\/log\/messages |
| Matches |
/var/log/messages |
| Search expression |
\(1\+1\)\:2 |
| Matches |
(1+1):2 |
Searching in commands and window titles
For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].
You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.
Example: Searching in commands and window titles
| Search expression |
command:"sudo su" |
| Matches |
sudo su as a terminal command |
| Does not match |
sudo su in general screen content |
| Search expression |
title:settings |
| Matches |
settings appearing in the title of an active window |
| Does not match |
settings in general screen content |
To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.
| Search expression |
properties AND NOT title:[* TO *] |
| Matches |
properties appearing in the screen content, but not as a window title. |
| Does not match |
properties in window titles. |
You can also combine these search filters with other expressions and wildcards.
| Search expression |
title:properties AND gateway |
| Matches |
A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title). |
| Does not match |
Screens where both properties and gateway appear, but properties is not in the window title. |
Searching for fuzzy matches
Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.
Example: Searching for fuzzy matches
| Search expression |
roam~ |
| Matches |
roams
foam |
Proximity search
Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.
Example: Proximity search
| Search expression |
"keyword1 keyword2"~10 |
| Matches |
(returns hits that contain keyword1 and keyword2 within 10 words from each other) |
Adjusting the relevance of search terms
By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.
Example: Adjusting the relevance of search terms
| Search expression |
keyword1^4 keyword2 |
| Matches |
(returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant) |
| Search expression |
"keyword1 keyword2"^5 "keyword3 keyword4" |
| Matches |
(returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5-times more relevant) |
One Identity Safeguard for Privileged Sessions (SPS) stores the following parameters about the connections:
-
Additional metadata: Data about the connection recorded by the different plugins of SPS, for example, when using an Authentication and Authorization plugin.
-
Alerting: The list of content policy alerts triggered in the connection. For every alert, the following information is displayed:
-
Time of alert: Date and time of the alert
-
Alerting type: The type of the event (command, screen content, and so on).
-
Matched rule value: The expression that matched the content.
-
Matched context: Click this column to display the context of the matched content, for example, the contents of the screen, or the command line. The value that triggered the alert is highlighted.
For example, a content policy that detects every execution of the sudo command in SSH commands, creates the following entry: 2012-10-05 15:46:17.902004: (adp.event.command) 'sudo'
-
Application: The name of the application accessed in a seamless Citrix ICA connection.
-
Archive date: The date when the connection was archived or cleaned up.
-
Archive path: The path where the audit trail was archived on the remote server.
-
Archive server: The hostname or IP address of the remote server where the audit trail was archived.
-
Audit trail downloads: An audit trail has been downloaded.
-
Audit-trail: Name and ID of the audit file storing the traffic of the channel. If the session has an audit trail, a 
icon is displayed. Note that a the following letters may appear on the download icon:
-
C: The audit trail has been cleaned up and is not available any more.
-
A: The audit trail has been archived. SPS will try to retrieve it from the archive server.
-
X: The audit trail is not available for some reason.
You can filter the Audit-trail column for the following values:
-
no audit trail: Channels that have no audit trails.
-
has audit trail: Channels that have audit trails.
-
online: Channels that belong to an active, ongoing connection. If you are auditing every connection, then this list shows the connections also shown on the Active Connections page.
-
archived: Channels that had their audit trails archived to a remote server, but SPS cannot access the audit trail.
-
Authentication method: The authentication method used in the connection. For example, password
-
Channel policy: The Channel policy applied to connection. The Channel policy lists the channels (for example, terminal session and SCP in SSH, or Drawing and Clipboard in RDP) that can be used in the connection, and also determines if the channel is audited or not. The Channel policy can also restrict access to each channel based on the IP address of the client or the server, a user list, user group, or a time policy.
-
Channel type: Type of the channel.
-
Channel's indexing status: Shows if the channel has been indexed. The following values are possible:
-
CHANNEL_OPEN (0): The connection of the channel is still open (indexer is waiting for the connection to close).
-
NOT_INDEXED (1): All channels of the connection have been closed which belong to the connection. The channel is ready for indexing, unless the audit trail was placed in the skipped_connections queue.
-
INDEXING_IN_PROGRESS (2): The channel is being indexed (indexing in progress). Note that SPS will return search results for the parts of the channel are already indexed.
-
INDEXED (3): Indexing the channel is complete.
-
INDEXING_NOT_REQUIRED (4): Indexing not required (indexing is not enabled for the connection).
-
INDEXING_FAILED (5): Indexing failed. The indexer service writes the corresponding error message in the error_message column of the indexer_jobs table. Note that SPS will return search results for the parts of the channel that were successfully indexed before the error occurred. For example, if the error occurred at the end of a long audit trail, you can still search for content from the first part of the audit trail.
-
NO_TRAIL (6): Auditing is not enabled for the channel.
-
Client X.509 Subject: The client's certificate in TELNET or VNC sessions. Available only if the Client-side transport security settings > Peer certificate validation option is enabled in SPS.
-
Connection policy ID: The identifier of the connection policy.
-
Connection policy: The connection policy that handled the client's connection request.
-
Destination IP: The IP address of the server as requested by the client.
-
Destination port: The port number of the server as requested by the client.
-
Device name: The name or ID of the shared device (redirect) used in the RDP connection.
-
Duration: The length of the session.
-
Dynamic channel: The name or ID of the dynamic channel opened in the RDP session.
-
End time: Date when the channel was closed.
-
Events: A table that shows the commands that the user issued in a terminal session. These commands are searchable, together with the command prompt itself. Available only for Telnet and SSH session shell connections, if the audit trail has been indexed. For details on configuring indexing, see Indexing audit trails.
-
Exec command: The command executed in a Session exec channel.
-
File operations: The list of file operations (for example, file upload, create directory) performed by the client. Available only for SCP and SFTP sessions (Session exec SCP and Session SFTP SSH channels) if the Log file transfers to database option is enabled in the Channel Policy of the connection.
For both SCP and SFTP connections, the filename is stored in a human-readable way if it only includes UTF-8-encoded characters. If the filename is not a valid UTF-8-encoded filename, the non-ASCII characters are translated into their hexadecimal equivalents. In both cases, the asterisk (*) characters are escaped with another asterisk (*) character.
In case of a valid UTF-8-encoded filename:
In case of a not valid UTF-8-encoded filename:
-
Filename: ár*víz** in ISO-8859-2
-
Hexadecimal sequence: E1 72 2A 76 ED 7A 2A 2A
-
Stored in connection database as: *e1r**v*edz****
|
|
NOTE:
For SFTP connections, this field includes the path and the filename. For SCP connections, it includes only the filename, the path is available in the SCP Path field.
Windows and UNIX systems use different separator characters in the pathname, backslash (\) and slash (/), respectively. As the SCP and SFTP protocols do not specify the separator character used, SPS uses slash (/), for example, /var/log/messages. |
|
|
TIP:
Use the filter in the header of the column to find sessions containing a specific file (for example, enter .gz to list sessions that accessed files with the .gz extension). Note that currently it is possible to search only in the filename and path, and not in the changed privileges. |
-
Four-eyes authorizer: The username of the user who authorized the session. Available only if 4-eyes authorization is required for the channel. For details on 4-eyes authorization, see Configuring four-eyes authorization.
-
Four-eyes description: The description submitted by the authorizer of the session.
-
Hits and rank: Available only for indexed trails, when searching the content of the audit trails. This column is displayed automatically.
-
For channels indexed with the indexer service, displays the number of hits (search results) found in the audit trail, and the rank (relevance) of the audit trail regarding the search keywords. Rank is displayed as 1-5 stars. Hits is returned as a number for up to 100 results in the audit trail — the exact number of hits is not displayed if it is higher than 100.
-
For channels indexed with the Audit Player indexer service, rank is not available. The exact number of hits is not displayed, only that the search keywords were found in the trail at least once. In this case, the Hits and rank column displays 1+.
Note that because of performance reasons, the number of hits can be inaccurate and is only an approximation. In this case, SPS displays a tilde (~) sign to mark approximated hit counts.
-
Port-forward target IP: The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
-
Port-forward target port: The traffic was forwarded to this port in Remote Forward and Local Forward channels.
-
Port/X11 forward originator IP: The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
-
Port/X11 forward originator port: The number of the forwarded port in Remote Forward and Local Forward channels.
-
Protocol: The protocol used in the connection (Citrix ICA, HTTP, RDP, SSH, Telnet, or VNC).
-
Rule number: The number of the line in the Channel policy applied to the channel.
-
SCP path: Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option is enabled in the Channel Policy of the connection.
|
|
NOTE:
This field includes only the path, the filename is available in the File Operations field.
Windows and UNIX systems use different separator characters in the pathname, backslash (\) and slash (/), respectively. As the SCP and SFTP protocols do not specify the separator character used, SPS uses slash (/), for example, /var/log/messages. |
-
Server IP: The IP address of the server connected by SPS.
|
|
NOTE:
In case of HTTP, this is the target IP of the first request of the session, since it cannot be guaranteed that all page content come from the same server. |
-
Server-local IP: The IP address of SPS used in the server-side connection.
-
Server-local port: The port number of SPS used in the server-side connection.
-
Server port: The port number of the server connected by SPS.
-
Session ID:
A globally unique string that identifies the session. This session ID has the following format: svc/<unique-random-hash>/<name-of-the-connection-policy>:<session-number-since-service-started>/<protocol>, for example, svc/5tmEaM7xdNi1oscgVWpbZx/ssh_console:1/ssh.
Log messages related to the session also contain this ID. For example:
2015-03-20T14:29:15+01:00 demo.example
zorp/scb_ssh[5594]: scb.audit(4):
(svc/5tmEaM7xdNi1oscgVWpbZx/ssh_console:0/ssh):
Closing connection; connection='ssh_console',
protocol='ssh', connection_id='409829754550c1c7a27e7d',
src_ip='10.40.0.28', src_port='39183',
server_ip='10.10.20.35', server_port='22',
gateway_username='', remote_username='example-username',
verdict='ZV_ACCEPT'
-
Source IP: The IP address of the client.
-
Source port: The port number of the client.
-
Start time: Date when the channel was started.
-
Subsystem name: Name of the SSH subsystem used in the channel.
-
URLs: The list of URLs accessed in an HTTP session (the list is displayed in a pop-up window).
-
Unique connection ID: The unique identifier of the connection.
-
Username: The username used in the session.
-
If the user performed inband gateway authentication in the connection, the field contains the username from the gateway authentication (gateway username).
-
Otherwise, the field contains the username used on the remote server.
-
Username on server: The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection. For details on usermapping, see Configuring usermapping policies.
-
Verdict: Indicates what SPS decided about the channel.
-
ACCEPT: Accepted.
-
ACCEPT-TERMINATED: Connection was accepted and established, but a content policy terminated the connection. For details on content policies, see Real-time content monitoring with Content Policies.
-
CONN-AUTH-FAIL: User authentication failed.
-
CONN-DENY: Connection rejected.
-
CONN-FAIL: Connection failed, that is, it was allowed to pass SPS but timed out on the server.
-
CONN-GW-AUTH-FAIL: Gatway authentication failed.
-
CONN-KEY-ERROR: Hostkey mismatch.
-
CONN-USER-MAPPING-FAIL: Usermapping failed.
-
DENY: Denied.
-
FOUR-EYES-DEFERRED: Waiting for remote username.
-
FOUR-EYES-ERROR: Internal error during four-eyes authorization.
-
FOUR-EYES-REJECT: Four-eyes authorization rejected.
-
FOUR-EYES-TIMEOUT: Four-eyes authorization timed out.
|
|
NOTE:
The Verdict column only accepts capital letters. |
|
|
NOTE:
The rejected (CONN-DENY) HTTP requests are collected into a session, to avoid having too many entries in the database (for example when the user visits a forbidden page, and reloads the page several times, only one session will be visible instead of all the separate requests). The denied sessions have timeout and session ID. |
The following describes how to create and save a filter for later use.
To create and save a filter for later use
-
Navigate to the Search page.
-
Set the filters you need.
-
Select Predefined filter conditions > Save As. A pop-up window is displayed.
-
Enter a name for the filter into the Name field.
Figure 324: Search > Save as — Saving filter conditions
-
If you want the filter to be available for other One Identity Safeguard for Privileged Sessions (SPS) users as well, select Global. To restrict the availability of the filter to a set of specific users, select Scope > Global, click 
, and enter the name of the group whose members may use the filter. Repeat this step to add other groups if needed. Local filters are visible only for you.
|
|
NOTE:
Filters cannot be modified later, only deleted. A filter can be deleted by the user who created it, and by users whose group has the Search > Manage global filters privilege.
For more information on managing user rights, see Managing user rights and usergroups. |
-
To modify the timeframe of the search, select Interval, and set the beginning and ending date and time of the search. This is useful when you want to display only the connections of a specific event. Note that you must always set an interval for global filters.
-
Click OK.
