The following describes how you can use search filters to perform a more specific search.
To search using search filters
Enter a search filter in the Search query field, or click on an entry in the table.
Figure 222: Search — Search filters
There are search filters that are not displayed but you can still use them to filter the sessions. For example, you can search for active connections using the active search filter, and search results are listed accordingly, but there is no active field displayed in the search table or in the Overview, Details, Events, Alerts, or Contents tabs.
For the list of search filters that you can use, see List of available search filters.
|
|
TIP:
Search is case insensitive. To make the search case sensitive, enclose the search keywords in double quotes. The search queries can include only alphanumerical characters. You can use complex expressions and boolean operators. For more information, see Using the content search. |
After specifying the relevant filters, click Search.
|
|
TIP:
To save the filters for future use, simply save the URL or bookmark it in your browser. |
Connection metadata is displayed in columns that you can filter for any parameter, or a combination of parameters. You can view the connection metadata in the search columns and also displayed as fields in the Overview, Details, Events, Alerts, or Contents tabs.
This section lists the search filters that you can use to perform a more specific search. For information about how to use the search filters listed below, see Using search filters.
The following table provides an explanation to the search filter tables listed in this section.
| Name: |
Specifies the meaningful and easily readable name of the search filter. |
| Search filter: |
Specifies the filter expression that you can use to filter the audit trails. For example, to narrow your search to a specific server-side IP address, you can enter the server.address: 10.30.255.70 search filter in the Search query field. All search results that contain that specific server IP address are listed. |
| Displayed: |
Specifies if the search filter result is displayed as a field in the search columns or in the Overview, Details, Events, Alerts, or Contents tabs. There are search filters that are not displayed but you can still use them to filter the audit trails. For example, you can search for active connections using the active search filter, and search results are listed accordingly, but there is no active field displayed in the search table or in the Overview, Details, Events, Alerts, or Contents tabs. |
The following search filters are available:
|
Name: |
Alert type |
|
Search filter: |
alert_type |
|
Type: |
enum |
|
Displayed: |
True |
The type of the alert.
Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
|
Name: |
Channel ID |
|
Search filter: |
channel_id |
|
Type: |
string |
|
Displayed: |
True |
The id of the channel the alert belongs to.
|
Name: |
Matched regexp on action |
|
Search filter: |
matched_action |
|
Type: |
string |
|
Displayed: |
True |
The regular expression that matched the command line without prompt
|
Name: |
Matched content |
|
Search filter: |
matched_content |
|
Type: |
string |
|
Displayed: |
True |
The content the alert matched.
Note that this value contains the context of the match as well. For example, if a Content Policy triggers an alert if a user types the sudo command, then the psm.alerts.matched_content value contains the entire command line, including the command prompt, for example, myuser@examplehost:~$ man sudo.
|
Name: |
Matched regexp |
|
Search filter: |
matched_regexp |
|
Type: |
string |
|
Displayed: |
True |
The regular expression that matched the content.
For details, see Real-time content monitoring with Content Policies.
|
Name: |
Alert ID |
|
Search filter: |
record_id |
|
Type: |
long |
|
Displayed: |
True |
The identifier of the alert within the audit trail (.zat file).
|
Name: |
Channel is active |
|
Search filter: |
active |
|
Type: |
boolean |
|
Displayed: |
True |
True if the session has not ended yet.
|
Name: |
Application |
|
Search filter: |
application |
|
Type: |
string |
|
Displayed: |
True |
The name of the application accessed in a seamless Citrix ICA connection.
|
Name: |
Audit stream ID |
|
Search filter: |
audit_stream_id |
|
Type: |
string |
|
Displayed: |
True |
The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
|
Name: |
Channel ID |
|
Search filter: |
channel_id |
|
Type: |
long |
|
Displayed: |
True |
The unique ID of the channel.
|
Name: |
Client X.509 Subject |
|
Search filter: |
client_x509_subject |
|
Type: |
string |
|
Displayed: |
True |
The client's certificate in TELNET or VNC sessions. Available only if the 'Client-side transport security settings > Peer certificate validation' option is enabled in One Identity Safeguard for Privileged Sessions.
|
Name: |
Executed commands |
|
Search filter: |
command |
|
Type: |
string |
|
Displayed: |
True |
Lists the commands executed in an SSH session.
|
Name: |
Port-forward target IP |
|
Search filter: |
connected.ip |
|
Type: |
ip |
|
Displayed: |
True |
The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
|
Name: |
Port-forward target name |
|
Search filter: |
connected.name |
|
Type: |
text |
|
Displayed: |
True |
The traffic was forwarded to this host in Remote Forward and Local Forward channels. If the hostname is not available, this field contains the IP address of the host
|
Name: |
Port-forward target port |
|
Search filter: |
connected.port |
|
Type: |
port |
|
Displayed: |
True |
The traffic was forwarded to this port in Remote Forward and Local Forward channels.
|
Name: |
Device name |
|
Search filter: |
device_name |
|
Type: |
string |
|
Displayed: |
True |
The name or ID of the shared device (redirect) used in the RDP connection.
Description: Used with the serial redirect, parallel redirect, printer redirect, disk redirect, and scard redirect RDP channel types.
The name of the device.
|
Name: |
Channel duration |
|
Search filter: |
duration |
|
Type: |
long |
|
Displayed: |
True |
The length of the channel (how long the channel lasted).
|
Name: |
Dynamic channel |
|
Search filter: |
dynamic_channel |
|
Type: |
string |
|
Displayed: |
True |
The name or ID of the dynamic channel opened in the RDP session.
|
Name: |
Channel end time |
|
Search filter: |
end_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the channel was closed.
|
Name: |
Environment |
|
Search filter: |
environment |
|
Type: |
string |
|
Displayed: |
True |
Date when the channel was closed.
|
Name: |
Four-eyes authorizer |
|
Search filter: |
four_eyes_authorizer |
|
Type: |
string |
|
Displayed: |
True |
The username of the user who authorized the session. Available only if four-eyes authorization is required for the channel.
|
Name: |
Four-eyes description |
|
Search filter: |
four_eyes_description |
|
Type: |
string |
|
Displayed: |
True |
The description submitted by the authorizer of the session.
|
Name: |
Channel originator IP address |
|
Search filter: |
originator.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
|
Name: |
Channel originator name |
|
Search filter: |
originator.name |
|
Type: |
text |
|
Displayed: |
True |
The hostname of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Originator port |
|
Search filter: |
originator.port |
|
Type: |
port |
|
Displayed: |
True |
The number of the forwarded port in Remote Forward and Local Forward SSH channels.
|
Name: |
Rule number |
|
Search filter: |
rule_num |
|
Type: |
string |
|
Displayed: |
True |
The number of the line in the Channel policy applied to the channel.
|
Name: |
SCP path |
|
Search filter: |
scp_path |
|
Type: |
string |
|
Displayed: |
True |
Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option isenabled in the Channel Policy of the connection.
|
Name: |
Channel start time |
|
Search filter: |
start_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the channel was started.
|
Name: |
Subsystem name |
|
Search filter: |
subsystem_name |
|
Type: |
string |
|
Displayed: |
True |
Name of the SSH subsystem used in the channel.
|
Name: |
Channel type |
|
Search filter: |
type |
|
Type: |
enum |
|
Displayed: |
True |
Type of the channel.
Possible values:
#drawing: Drawing
CTXCAM: Audio
CTXCDM: Drive
CTXCLIP: Clipboard
CTXCOM1: Printer (COM1)
CTXCOM2: Printer (COM2)
CTXCPM: Printer Spooler
CTXFLSH: HDX Mediastream
CTXLPT1: Printer (LPT1)
CTXLPT2: Printer (LPT2)
CTXSCRD: Smartcard
CTXTW: Drawing (Thinwire)
CTXTWI: Seamless
CTXUSB: USB
SPDBRS: Speedbrowse
auth-agent: Agent
cliprdr: Clipboard
custom: Custom
direct-tcpip: Local forward
drawing: Drawing
drdynvc: Dynamic virtual channel
forwarded-tcpip: Remote forward
http: HTTP
rdpdr: Redirects
rdpdr-disk: Disk redirect
rdpdr-parallel: Parallel redirect
rdpdr-printer: Printer redirect
rdpdr-scard: SCard redirect
rdpdr-serial: Serial redirect
rdpsnd: Sound
seamrdp: Seamless
session-exec: Session exec
session-exec-scp: Session exec SCP
session-shell: Session shell
session-subsystem: Session subsystem
session-subsystem-sftp: Session SFTP
telnet: Telnet
vnc: VNC
x11: X11 forward
|
Name: |
Channel verdict |
|
Search filter: |
verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the channel.
Possible values:
ACCEPT: Accepted
DENY: Denied
FOUR_EYES_DEFERRED: Waiting for remote username
FOUR_EYES_ERROR: Internal error during four-eyes authorization
FOUR_EYES_REJECT: Four-eyes authorization rejected
FOUR_EYES_TIMEOUT: Four-eyes authorization timed out
|
Name: |
Window title |
|
Search filter: |
title |
|
Type: |
string |
|
Displayed: |
True |
The content of the title bar in the active window. The window title typically contains the name of the application, or the name of the dialogue box. Only available in graphical sessions (for example, RDP), if indexing is enabled.
|
Name: |
Event Action |
|
Search filter: |
action |
|
Type: |
string |
|
Displayed: |
True |
The command line without prompt in commands
|
Name: |
Channel ID |
|
Search filter: |
channel_id |
|
Type: |
string |
|
Displayed: |
True |
The id of the channel the event belongs to.
|
Name: |
Event content |
|
Search filter: |
content |
|
Type: |
string |
|
Displayed: |
True |
The command executed, or the window title detected in the channel (for example, ls, exit, or Firefox).
|
Name: |
Protocol details |
|
Search filter: |
details |
|
Type: |
string |
|
Displayed: |
True |
The details of the protocol used for the operation.
|
Name: |
Operation |
|
Search filter: |
operation |
|
Type: |
string |
|
Displayed: |
True |
The type of the operation that occurred, for example, Create file (in the case of FTP) or GET (in the case of HTTP).
|
Name: |
Path |
|
Search filter: |
path |
|
Type: |
string |
|
Displayed: |
True |
The path (if any) used by the operation that occurred.
|
Name: |
Event ID |
|
Search filter: |
record_id |
|
Type: |
long |
|
Displayed: |
True |
The identifier of the event within the audit trail (.zat file).
|
Name: |
Response code |
|
Search filter: |
response_code |
|
Type: |
long |
|
Displayed: |
True |
The status code of the protocol response (if any) returned.
|
Name: |
Commands indexed |
|
Search filter: |
config.command.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if commands were extracted while indexing the session.
|
Name: |
Keyboard buffering interval |
|
Search filter: |
config.keyboard.buffer_interval |
|
Type: |
double |
|
Displayed: |
True |
The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
|
Name: |
Keyboard extracted |
|
Search filter: |
config.keyboard.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if keyboard events were extracted while indexing the session.
|
Name: |
Mouse buffering interval |
|
Search filter: |
config.mouse.buffer_interval |
|
Type: |
double |
|
Displayed: |
True |
The buffering interval in milliseconds used when extracting mouse events while indexing the session.
|
Name: |
Mouse extracted |
|
Search filter: |
config.mouse.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if mouse events were extracted while indexing the session.
|
Name: |
Near real-time indexing |
|
Search filter: |
config.near_realtime |
|
Type: |
boolean |
|
Displayed: |
True |
True if indexing this session was done near real-time (when the session was still active).
|
Name: |
OCR languages |
|
Search filter: |
config.ocr_languages |
|
Type: |
string |
|
Displayed: |
True |
The language configuration for optical character recognition used when indexing the session.
|
Name: |
Screen content indexed |
|
Search filter: |
config.screen.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if screen content was extracted while indexing the session.
|
Name: |
OCR tradeoff |
|
Search filter: |
config.screen.omnipage_trade_off |
|
Type: |
string |
|
Displayed: |
True |
The tradeoff used for optical character recognition when extracting screen content while indexing the session.
|
Name: |
Titles indexed |
|
Search filter: |
config.title.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if window titles were extracted while indexing the session.
|
Name: |
Indexing error |
|
Search filter: |
error.message |
|
Type: |
string |
|
Displayed: |
True |
The reason why indexing failed
|
Name: |
Indexing cpu time |
|
Search filter: |
statistics.cpu_time |
|
Type: |
long |
|
Displayed: |
True |
The CPU time that indexing this session took in milliseconds.
|
Name: |
Indexing duration |
|
Search filter: |
statistics.duration |
|
Type: |
long |
|
Displayed: |
True |
The duration of time that indexing this session took in milliseconds.
|
Name: |
Indexing start time |
|
Search filter: |
statistics.start_time |
|
Type: |
date |
|
Displayed: |
True |
The time and date when indexing this session started.
|
Name: |
Indexing status |
|
Search filter: |
status |
|
Type: |
string |
|
Displayed: |
True |
Shows if the channel has been indexed successfully or not.
|
Name: |
Indexer ADP version |
|
Search filter: |
version.adp |
|
Type: |
string |
|
Displayed: |
True |
The version of the audit data processor used for indexing the session
|
Name: |
Screen content |
|
Search filter: |
content |
|
Type: |
string |
|
Displayed: |
False |
Text that appeared on the screen in the session.
|
Name: |
Channel id in trail |
|
Search filter: |
channel_id_in_trail |
|
Type: |
long |
|
Displayed: |
False |
The ID of the channel where this content appeared. To check the channel ID (channel_id), select a session and click details. Navigate to details > Channels and click the channel type.
|
Name: |
Analytics Interesting events |
|
Search filter: |
analytics.interesting_events |
|
Type: |
string |
|
Displayed: |
True |
Collection of interesting command(s) and window title(s) from the session.
|
Name: |
Analytics Score |
|
Search filter: |
analytics.score.aggregated |
|
Type: |
long |
|
Displayed: |
True |
The risk score that the Analytics Module assigned to the session.Ranges from 0 to 100, 100 is the highest risk score.
|
Name: |
Score time |
|
Search filter: |
analytics.score.time |
|
Type: |
date |
|
Displayed: |
False |
The scoring time of the given analytics. The different analytics are scored at different times based on the type of the analytics and certain configuration settings.
|
Name: |
Command score |
|
Search filter: |
analytics.score.details.command.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Command algorithm.
|
Name: |
FIS score |
|
Search filter: |
analytics.score.details.fis.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Frequent Item Set (FIS) algorithm
|
Name: |
Host login score |
|
Search filter: |
analytics.score.details.hostlogin.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Host login algorithm.
|
Name: |
Login time score |
|
Search filter: |
analytics.score.details.logintime.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Login time algorithm.
|
Name: |
Keystroke score |
|
Search filter: |
analytics.score.details.keystroke.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Keystroke algorithm.
|
Name: |
Windowtitle score |
|
Search filter: |
analytics.score.details.windowtitle.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Window title algorithm.
|
Name: |
Scripted |
|
Search filter: |
analytics.scripted |
|
Type: |
boolean |
|
Displayed: |
True |
True if the One Identity Safeguard for Privileged Analytics module marked the session as scripted because of non-human activity
|
Name: |
Similar Sessions |
|
Search filter: |
analytics.similar_sessions |
|
Type: |
string |
|
Displayed: |
True |
Collection of similar sessions from different sources.
|
Name: |
Analytics tags |
|
Search filter: |
analytics.tags |
|
Type: |
string |
|
Displayed: |
True |
The Analytics tags section in Search > details.
|
Name: |
Client IP |
|
Search filter: |
client.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the client that initiated the session.
|
Name: |
Client name |
|
Search filter: |
client.name |
|
Type: |
string |
|
Displayed: |
True |
The name of the client that initiated the session.
|
Name: |
Client port |
|
Search filter: |
client.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of the client that initiated the session.
|
Name: |
Creation time |
|
Search filter: |
creation_time |
|
Type: |
date |
|
Displayed: |
True |
The first time the pipeline created the session. It is different from start_time and can be later than start_time.
|
Name: |
Duration |
|
Search filter: |
duration |
|
Type: |
long |
|
Displayed: |
True |
The length of the session (how long the session lasted).
|
Name: |
End time |
|
Search filter: |
end_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the session was closed.
For ongoing connections, the value is null.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2018-10-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
|
Name: |
Log adapter |
|
Search filter: |
log.adapter_name |
|
Type: |
string |
|
Displayed: |
True |
The name of the Log Adapter Plugin. This plugin can be uploaded at Basic Settings > Plugins.
|
Name: |
Log auth method |
|
Search filter: |
log.auth_method |
|
Type: |
string |
|
Displayed: |
True |
SSH relayed authentication method. It is configured at SSH Control > Authentication Policies > Relayed authentication methods.
|
Name: |
Log syslog time |
|
Search filter: |
log.syslog_time |
|
Type: |
date |
|
Displayed: |
True |
Date of the message in the ISO 8601 compatible standard timestamp format.
|
Name: |
Node ID |
|
Search filter: |
node_id |
|
Type: |
string |
|
Displayed: |
True |
The node ID of the Safeguard for Privileged Sessions machine
|
Name: |
Origin |
|
Search filter: |
origin |
|
Type: |
string |
|
Displayed: |
True |
How One Identity Safeguard for Privileged Analytics received this session. Can be One Identity Safeguard for Privileged Sessions for sessions based on an audit trail recorded by One Identity Safeguard for Privileged Sessions, or LOG for sessions built from log data.
|
Name: |
Protocol |
|
Search filter: |
protocol |
|
Type: |
enum |
|
Displayed: |
True |
The protocol used in the session: Citrix ICA, HTTP, RDP, SSH, Telnet (including TN3270 and TN5250), or VNC.
Possible values:
HTTP: HTTP
ICA: ICA
RDP: RDP
SSH: SSH
TELNET: TELNET
VNC: VNC
|
Name: |
Additional metadata |
|
Search filter: |
recording.additional_metadata |
|
Type: |
string |
|
Displayed: |
False |
Data about the session recorded by the different plugins of One Identity Safeguard for Privileged Sessions, for example, when using an Authentication and Authorization plugin.
|
Name: |
Recording Archive date |
|
Search filter: |
recording.archive.date |
|
Type: |
date |
|
Displayed: |
True |
The date when the connection was archived or cleaned up.
|
Name: |
Recording Archive path |
|
Search filter: |
recording.archive.path |
|
Type: |
string |
|
Displayed: |
True |
The path where the audit trail was archived on the remote server.
|
Name: |
Recording Archive policy |
|
Search filter: |
recording.archive.policy |
|
Type: |
string |
|
Displayed: |
True |
The archive policy used to archive the audit trail.
|
Name: |
Recording Archive server |
|
Search filter: |
recording.archive.server |
|
Type: |
ip |
|
Displayed: |
True |
The hostname or IP address of the remote server where the audit trail was archived.
|
Name: |
Recording Archived |
|
Search filter: |
recording.archived |
|
Type: |
boolean |
|
Displayed: |
True |
Shows if the data (metadata, audit trail) about the session was archived to a remote server.
|
Name: |
Audit trail path |
|
Search filter: |
recording.audit_trail |
|
Type: |
string |
|
Displayed: |
False |
The path to the audit trail file on One Identity Safeguard for Privileged Sessions. If One Identity Safeguard for Privileged Sessions has already archived the audit trail, see the Archive path field instead.
. If the session does not have an audit trail, this element is not used. To download the audit trail, see Replaying audit trails in your browser.
|
Name: |
Audit trail download link |
|
Search filter: |
trail_download_link |
|
Type: |
string |
|
Displayed: |
True |
The download link to the audit trail file on One Identity Safeguard for Privileged Sessions.
|
Name: |
Recording Authentication method |
|
Search filter: |
recording.auth_method |
|
Type: |
string |
|
Displayed: |
True |
The authentication method used in the session.
|
Name: |
Recording Channel policy |
|
Search filter: |
recording.channel_policy |
|
Type: |
string |
|
Displayed: |
True |
The Channel policy applied to the session. Channel policy determines the channels permitted in the connection, and if the channel is audited or not. The Channel policy can restrict access based on IP address, user list, user group, or time policy.
You can find the list of channel policies for each protocol at the <Protocol> Control > Channel Policies page.
|
Name: |
Commands available |
|
Search filter: |
recording.command_extracted |
|
Type: |
boolean |
|
Displayed: |
True |
True if commands have been extracted from the session. The extracted commands are in the Events field.
|
Name: |
Recording Connection policy |
|
Search filter: |
recording.connection_policy |
|
Type: |
string |
|
Displayed: |
True |
The name of the Connection policy that handled the client's connection request.
This is the name displayed on the <Protocol> Control > Connections page of the SPS web interface, and in the name field of the Connection Policy object. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
|
Name: |
Recording Connection policy ID |
|
Search filter: |
recording.connection_policy_id |
|
Type: |
string |
|
Displayed: |
True |
The ID of the Connection policy that handled the client's connection request.
You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
|
Name: |
Recording Content reference ID |
|
Search filter: |
recording.content_reference_id |
|
Type: |
long |
|
Displayed: |
True |
The unique identifier for the session content search.
|
Name: |
Recording Indexing status |
|
Search filter: |
recording.index_status |
|
Type: |
enum |
|
Displayed: |
True |
Shows if the channel has been indexed.
Possible values:
CHANNEL_OPEN: Session is active
INDEXED: Session indexed
INDEXING_FAILED: Session indexing failed
INDEXING_IN_PROGRESS: Session indexing in progress
INDEXING_NOT_REQUIRED: Session indexing not required
NOT_INDEXED: Session is not indexed
NO_TRAIL: Auditing not enabled
|
Name: |
Has ZAC |
|
Search filter: |
recording.has_zac |
|
Type: |
boolean |
|
Displayed: |
False |
Audit Content file is available for the session. This file allows the user to search the content of graphical sessions using the Safeguard Desktop Player.
|
Name: |
Recording Network namespace |
|
Search filter: |
recording.network_id |
|
Type: |
string |
|
Displayed: |
True |
The ID of the Linux network namespace where the session originated from.
|
Name: |
Server local IP address |
|
Search filter: |
recording.server_local.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of One Identity Safeguard for Privileged Sessions used in the server-side connection.
|
Name: |
Server local name |
|
Search filter: |
recording.server_local.name |
|
Type: |
text |
|
Displayed: |
True |
The hostname of One Identity Safeguard for Privileged Sessions used in the server-side connection. If the hostname is not available, this field contains the IP address of One Identity Safeguard for Privileged Sessions.
|
Name: |
Recording Server local port |
|
Search filter: |
recording.server_local.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of One Identity Safeguard for Privileged Sessions used in the server-side connection.
|
Name: |
Recording Session ID |
|
Search filter: |
recording.session_id |
|
Type: |
string |
|
Displayed: |
True |
A globally unique string that identifies the session. Log messages related to the session contain this ID.
|
Name: |
Target IP address |
|
Search filter: |
recording.target.ip |
|
Type: |
ip |
|
Displayed: |
True |
The client originally tried to access this IP address. This can differ from the destination address, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The address that the client actually connected to is in the Server address field.
|
Name: |
Target name |
|
Search filter: |
recording.target.name |
|
Type: |
text |
|
Displayed: |
True |
The client originally tried to access this host. This can differ from the destination address, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The address that the client actually connected to is in the Server address field. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Recording Target port |
|
Search filter: |
recording.target.port |
|
Type: |
port |
|
Displayed: |
True |
The client originally tried to access this port. This can differ from the port of the destination server, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The port that the client actually connected to is in the Server port field.
|
Name: |
Recording Verdict |
|
Search filter: |
recording.verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the session.
Possible values:
ACCEPT: Accepted
ACCEPT_TERMINATED: Terminated by a content policy
AUTH_FAIL: Authentication failed
DENY: Connection rejected
FAIL: Connection timed out on the server
GW_AUTH_FAIL: Gateway authentication failed
KEY_ERROR: Hostkey mismatch
USER_MAPPING_FAIL: Usermapping failed
|
Name: |
Recording Window titles available |
|
Search filter: |
recording.window_title_extracted |
|
Type: |
boolean |
|
Displayed: |
True |
True if window titles have been extracted from the session. The extracted window titles are in the Window title field.
|
Name: |
Server IP |
|
Search filter: |
server.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the server that One Identity Safeguard for Privileged Sessions connected to. This address was the remote end of the server-side connection.
|
Name: |
Server ID |
|
Search filter: |
server.id |
|
Type: |
string |
|
Displayed: |
True |
The id of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Server hostname |
|
Search filter: |
server.name |
|
Type: |
string |
|
Displayed: |
True |
The hostname of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Server port |
|
Search filter: |
server.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Start time |
|
Search filter: |
start_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the session was started.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2018-10-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
|
Name: |
Gateway username |
|
Search filter: |
user.gateway_username |
|
Type: |
string |
|
Displayed: |
True |
The username used to authenticate on the One Identity Safeguard for Privileged Sessions gateway (that is, in the client-side connection). Sometimes it is also called client-side username.
|
Name: |
Gateway username domain |
|
Search filter: |
user.gateway_username_domain |
|
Type: |
string |
|
Displayed: |
True |
The domain of the username used to authenticate on the One Identity Safeguard for Privileged Sessions gateway (that is, in the client-side connection).
|
Name: |
Username |
|
Search filter: |
user.name |
|
Type: |
string |
|
Displayed: |
True |
This field contains the username which was used by the user to authenticate to the remote server. Its value is the same as the gateway username when it is available. Otherwise, it will be filled with the server username.
|
Name: |
Name domain |
|
Search filter: |
user.name_domain |
|
Type: |
string |
|
Displayed: |
True |
This field contains the domain of the username which was used by the user to authenticate to the remote server. Its value is the same as the gateway domain when it is available. Otherwise, it will be filled with the server domain.
|
Name: |
Server username |
|
Search filter: |
user.server_username |
|
Type: |
string |
|
Displayed: |
True |
The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection.
|
Name: |
Server username domain |
|
Search filter: |
user.server_username_domain |
|
Type: |
string |
|
Displayed: |
True |
The domain of the username used to log in to the remote server.
|
Name: |
Verdict |
|
Search filter: |
verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the session. A session verdict that originates from log events or other external events.
Possible values:
ACCEPT: Accepted
AUTH_FAIL: Authentication failed
DENY: Connection rejected
FAIL: Connection timed out on the server
PENDING: Connection is pending
TERMINATED: Connection terminated
|
Name: |
Channel is active |
|
Search filter: |
channel.active |
|
Type: |
boolean |
|
Displayed: |
False |
True if the session has not ended yet.
|
Name: |
Application |
|
Search filter: |
channel.application |
|
Type: |
string |
|
Displayed: |
False |
The name of the application accessed in a seamless Citrix ICA connection.
|
Name: |
Audit stream ID |
|
Search filter: |
channel.audit_stream_id |
|
Type: |
string |
|
Displayed: |
False |
The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
|
Name: |
Channel ID |
|
Search filter: |
channel.channel_id |
|
Type: |
long |
|
Displayed: |
False |
The unique ID of the channel.
|
Name: |
Client X.509 Subject |
|
Search filter: |
channel.client_x509_subject |
|
Type: |
string |
|
Displayed: |
False |
The client's certificate in TELNET or VNC sessions. Available only if the 'Client-side transport security settings > Peer certificate validation' option is enabled in One Identity Safeguard for Privileged Sessions.
|
Name: |
Executed commands |
|
Search filter: |
channel.command |
|
Type: |
string |
|
Displayed: |
False |
Lists the commands executed in an SSH session.
|
Name: |
Port-forward target IP |
|
Search filter: |
channel.connected.ip |
|
Type: |
ip |
|
Displayed: |
False |
The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
|
Name: |
Port-forward target name |
|
Search filter: |
channel.connected.name |
|
Type: |
text |
|
Displayed: |
False |
The traffic was forwarded to this host in Remote Forward and Local Forward channels. If the hostname is not available, this field contains the IP address of the host
|
Name: |
Port-forward target port |
|
Search filter: |
channel.connected.port |
|
Type: |
port |
|
Displayed: |
False |
The traffic was forwarded to this port in Remote Forward and Local Forward channels.
|
Name: |
Device name |
|
Search filter: |
channel.device_name |
|
Type: |
string |
|
Displayed: |
False |
The name or ID of the shared device (redirect) used in the RDP connection.
|
Name: |
Channel duration |
|
Search filter: |
channel.duration |
|
Type: |
long |
|
Displayed: |
False |
The length of the channel (how long the channel lasted).
|
Name: |
Dynamic channel |
|
Search filter: |
channel.dynamic_channel |
|
Type: |
string |
|
Displayed: |
False |
The name or ID of the dynamic channel opened in the RDP session.
Used with the dynamic virtual RDP channel type.
|
Name: |
Channel end time |
|
Search filter: |
channel.end_time |
|
Type: |
date |
|
Displayed: |
False |
Date when the channel was closed.
|
Name: |
Environment |
|
Search filter: |
channel.environment |
|
Type: |
string |
|
Displayed: |
False |
Date when the channel was closed.
|
Name: |
Four-eyes authorizer |
|
Search filter: |
channel.four_eyes_authorizer |
|
Type: |
string |
|
Displayed: |
False |
The username of the user who authorized the session. Available only if four-eyes authorization is required for the channel.
|
Name: |
Four-eyes description |
|
Search filter: |
channel.four_eyes_description |
|
Type: |
string |
|
Displayed: |
False |
The description submitted by the authorizer of the session.
|
Name: |
Channel originator IP address |
|
Search filter: |
channel.originator.ip |
|
Type: |
ip |
|
Displayed: |
False |
The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
|
Name: |
Channel originator name |
|
Search filter: |
channel.originator.name |
|
Type: |
text |
|
Displayed: |
False |
The hostname of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Originator port |
|
Search filter: |
channel.originator.port |
|
Type: |
port |
|
Displayed: |
False |
The number of the forwarded port in Remote Forward and Local Forward SSH channels.
|
Name: |
Rule number |
|
Search filter: |
channel.rule_num |
|
Type: |
string |
|
Displayed: |
False |
The number of the line in the Channel policy applied to the channel.
|
Name: |
SCP path |
|
Search filter: |
channel.scp_path |
|
Type: |
string |
|
Displayed: |
False |
Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option isenabled in the Channel Policy of the connection.
|
Name: |
Channel start time |
|
Search filter: |
channel.start_time |
|
Type: |
date |
|
Displayed: |
False |
Date when the channel was started.
|
Name: |
Subsystem name |
|
Search filter: |
channel.subsystem_name |
|
Type: |
string |
|
Displayed: |
False |
Name of the SSH subsystem used in the channel.
|
Name: |
Channel type |
|
Search filter: |
channel.type |
|
Type: |
enum |
|
Displayed: |
False |
Type of the channel.
Possible values:
#drawing: Drawing
CTXCAM: Audio
CTXCDM: Drive
CTXCLIP: Clipboard
CTXCOM1: Printer (COM1)
CTXCOM2: Printer (COM2)
CTXCPM: Printer Spooler
CTXFLSH: HDX Mediastream
CTXLPT1: Printer (LPT1)
CTXLPT2: Printer (LPT2)
CTXSCRD: Smartcard
CTXTW: Drawing (Thinwire)
CTXTWI: Seamless
CTXUSB: USB
SPDBRS: Speedbrowse
auth-agent: Agent
cliprdr: Clipboard
custom: Custom
direct-tcpip: Local forward
drawing: Drawing
drdynvc: Dynamic virtual channel
forwarded-tcpip: Remote forward
http: HTTP
rdpdr: Redirects
rdpdr-disk: Disk redirect
rdpdr-parallel: Parallel redirect
rdpdr-printer: Printer redirect
rdpdr-scard: SCard redirect
rdpdr-serial: Serial redirect
rdpsnd: Sound
seamrdp: Seamless
session-exec: Session exec
session-exec-scp: Session exec SCP
session-shell: Session shell
session-subsystem: Session subsystem
session-subsystem-sftp: Session SFTP
telnet: Telnet
vnc: VNC
x11: X11 forward
|
Name: |
Channel verdict |
|
Search filter: |
channel.verdict |
|
Type: |
enum |
|
Displayed: |
False |
Indicates what One Identity Safeguard for Privileged Sessions decided about the channel.
Possible values:
ACCEPT: Accepted
DENY: Denied
FOUR_EYES_DEFERRED: Waiting for remote username
FOUR_EYES_ERROR: Internal error during four-eyes authorization
FOUR_EYES_REJECT: Four-eyes authorization rejected
FOUR_EYES_TIMEOUT: Four-eyes authorization timed out
|
Name: |
Event Action |
|
Search filter: |
event.action |
|
Type: |
string |
|
Displayed: |
False |
The command line without prompt in commands
|
Name: |
Channel ID |
|
Search filter: |
event.channel_id |
|
Type: |
string |
|
Displayed: |
False |
The id of the channel the event belongs to.
|
Name: |
Event content |
|
Search filter: |
event.content |
|
Type: |
string |
|
Displayed: |
False |
The command executed, or the window title detected in the channel (for example, ls, exit, or Firefox).
|
Name: |
Protocol details |
|
Search filter: |
event.details |
|
Type: |
string |
|
Displayed: |
False |
The details of the protocol used for the operation.
|
Name: |
Operation |
|
Search filter: |
event.operation |
|
Type: |
string |
|
Displayed: |
False |
The type of the operation that occurred, for example, Create file (in the case of FTP) or GET (in the case of HTTP).
|
Name: |
Path |
|
Search filter: |
event.path |
|
Type: |
string |
|
Displayed: |
False |
The path (if any) used by the operation that occurred.
|
Name: |
Event ID |
|
Search filter: |
event.record_id |
|
Type: |
long |
|
Displayed: |
False |
The identifier of the event within the audit trail (.zat file).
|
Name: |
Response code |
|
Search filter: |
event.response_code |
|
Type: |
long |
|
Displayed: |
False |
The status code of the protocol response (if any) returned.
|
Name: |
Event date |
|
Search filter: |
event.time |
|
Type: |
date |
|
Displayed: |
False |
The date when the event happened.
|
Name: |
Event type |
|
Search filter: |
event.type |
|
Type: |
string |
|
Displayed: |
False |
The type of the event, for example, command, screen_content, window_title.
|
Name: |
Alert type |
|
Search filter: |
alert.alert_type |
|
Type: |
enum |
|
Displayed: |
False |
The type of the alert.
Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
|
Name: |
Channel ID |
|
Search filter: |
alert.channel_id |
|
Type: |
string |
|
Displayed: |
False |
The id of the channel the alert belongs to.
|
Name: |
Matched regexp on action |
|
Search filter: |
alert.matched_action |
|
Type: |
string |
|
Displayed: |
False |
The regular expression that matched the command line without prompt
|
Name: |
Matched content |
|
Search filter: |
alert.matched_content |
|
Type: |
string |
|
Displayed: |
False |
The content the alert matched.
|
Name: |
Matched regexp |
|
Search filter: |
alert.matched_regexp |
|
Type: |
string |
|
Displayed: |
False |
The regular expression that matched the content.
|
Name: |
Alert ID |
|
Search filter: |
alert.record_id |
|
Type: |
long |
|
Displayed: |
False |
The identifier of the alert within the audit trail (.zat file).
|
Name: |
Rule name |
|
Search filter: |
alert.rule_name |
|
Type: |
string |
|
Displayed: |
False |
The name of the content policy rule.
|
Name: |
Alert time |
|
Search filter: |
alert.time |
|
Type: |
date |
|
Displayed: |
False |
The timestamp of the alert.
|
Name: |
From API |
|
Search filter: |
trail_download.from_api |
|
Type: |
boolean |
|
Displayed: |
False |
The audit trail downloaded via API or not.
|
Name: |
Trail download ID |
|
Search filter: |
trail_download.id |
|
Type: |
string |
|
Displayed: |
False |
The ID of an audit trail download event.
|
Name: |
Download ip |
|
Search filter: |
trail_download.ip_address |
|
Type: |
ip |
|
Displayed: |
False |
The ip address from where the download is requested.
|
Name: |
Download time |
|
Search filter: |
trail_download.time |
|
Type: |
date |
|
Displayed: |
False |
The exact time when the user downloaded the audit trail file.
|
Name: |
Downloader username |
|
Search filter: |
trail_download.username |
|
Type: |
string |
|
Displayed: |
False |
The name of user who downloaded the audit trail of the session.
|
Name: |
Commands indexed |
|
Search filter: |
indexer_info.config.command.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if commands were extracted while indexing the session.
|
Name: |
Keyboard buffering interval |
|
Search filter: |
indexer_info.config.keyboard.buffer_interval |
|
Type: |
double |
|
Displayed: |
False |
The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
|
Name: |
Keyboard extracted |
|
Search filter: |
indexer_info.config.keyboard.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if keyboard events were extracted while indexing the session.
|
Name: |
Mouse buffering interval |
|
Search filter: |
indexer_info.config.mouse.buffer_interval |
|
Type: |
double |
|
Displayed: |
False |
The buffering interval in milliseconds used when extracting mouse events while indexing the session.
|
Name: |
Mouse extracted |
|
Search filter: |
indexer_info.config.mouse.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if mouse events were extracted while indexing the session.
|
Name: |
Near real-time indexing |
|
Search filter: |
indexer_info.config.near_realtime |
|
Type: |
boolean |
|
Displayed: |
False |
True if indexing this session was done near real-time (when the session was still active).
|
Name: |
OCR languages |
|
Search filter: |
indexer_info.config.ocr_languages |
|
Type: |
string |
|
Displayed: |
False |
The language configuration for optical character recognition used when indexing the session.
|
Name: |
Screen content indexed |
|
Search filter: |
indexer_info.config.screen.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if screen content was extracted while indexing the session.
|
Name: |
OCR tradeoff |
|
Search filter: |
indexer_info.config.screen.omnipage_trade_off |
|
Type: |
string |
|
Displayed: |
False |
The tradeoff used for optical character recognition when extracting screen content while indexing the session.
|
Name: |
Titles indexed |
|
Search filter: |
indexer_info.config.title.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if window titles were extracted while indexing the session.
|
Name: |
Indexing error |
|
Search filter: |
indexer_info.error.message |
|
Type: |
string |
|
Displayed: |
False |
The reason why indexing failed
|
Name: |
Indexing cpu time |
|
Search filter: |
indexer_info.statistics.cpu_time |
|
Type: |
long |
|
Displayed: |
False |
The CPU time that indexing this session took in milliseconds.
|
Name: |
Indexing duration |
|
Search filter: |
indexer_info.statistics.duration |
|
Type: |
long |
|
Displayed: |
False |
The duration of time that indexing this session took in milliseconds.
|
Name: |
Indexing start time |
|
Search filter: |
indexer_info.statistics.start_time |
|
Type: |
date |
|
Displayed: |
False |
The time and date when indexing this session started.
|
Name: |
Indexing status |
|
Search filter: |
indexer_info.status |
|
Type: |
string |
|
Displayed: |
False |
Shows if the channel has been indexed successfully or not.
|
Name: |
Indexer ADP version |
|
Search filter: |
indexer_info.version.adp |
|
Type: |
string |
|
Displayed: |
False |
The version of the audit data processor used for indexing the session
|
Name: |
Indexer version |
|
Search filter: |
indexer_info.version.worker |
|
Type: |
string |
|
Displayed: |
False |
The version of the indexer worker used for indexing the session
|
Name: |
ZAC created |
|
Search filter: |
indexer_info.config.zac.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if an Audit Content file was created while indexing the session.
|
Name: |
Screen content |
|
Search filter: |
screen.content |
|
Type: |
string |
|
Displayed: |
False |
Text that appeared on the screen in the session.
|
Name: |
Channel id in trail |
|
Search filter: |
screen.channel_id_in_trail |
|
Type: |
long |
|
Displayed: |
False |
The ID of the channel where this content appeared. To check the channel ID (channel_id), select a session and click details. Navigate to details > Channels and click the channel type.
|
Name: |
From API |
|
Search filter: |
from_api |
|
Type: |
boolean |
|
Displayed: |
True |
The audit trail downloaded via API or not.
|
Name: |
Trail download ID |
|
Search filter: |
id |
|
Type: |
string |
|
Displayed: |
True |
The ID of an audit trail download event.
|
Name: |
Download ip |
|
Search filter: |
ip_address |
|
Type: |
ip |
|
Displayed: |
True |
The ip address from where the download is requested.
|
|
NOTE:
This feature is available only if auditing and content indexing was requested for the connection. For more information, see Configuring the internal indexer. |
You can search in the contents of the audit trails as follows:
From your browser: Use this method to find all the sessions containing your search query.
Enter the screen.content: expression search filter in the Search query field. For example: screen.content="exit". The search returns all the sessions where exit was on the screen.
From the Safeguard Desktop Player application: Use this method to find the exact location of the search query within a specific audit trail.
Download the relevant audit trail, open it in the Safeguard Desktop Player application, and use the Search feature. You can also search in the contents of the audit trails for trails of graphical sessions created and indexed with One Identity Safeguard for Privileged Sessions (SPS) 6.0.
There are various ways you can refine your content query, you can:
use wildcards
use boolean expressions
search in the commands of terminal connections (for example, command:"sudo su")
search in the window titles of graphical connections (for example, title:settings)
The following sections provide examples for different search queries.
For examples of exact matches, see Searching for exact matches.
For examples of using boolean operators to combine search keywords, see Combining search keywords.
For examples of wildcard searches, see Using wildcard searches.
For examples of searching with special characters, see Searching for special characters.
For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.
For examples of proximity search to find words that appear within a special distance, see Proximity search.
For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.
For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
| Search expression | example |
| Matches | example |
| Does not match |
examples example.com query-by-example exam |
To search for an exact phrase, enclose the search keywords in double quotes.
| Search expression | "example command" |
| Matches | example command |
| Does not match |
example command example: command |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression | C\:\\Windows |
| Matches |
C:\Windows |
You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,
| Search expression | keyword1 AND keyword2 |
| Matches | (returns hits that contain both keywords) |
| Search expression | keyword1 OR keyword2 |
| Matches | (returns hits that contain at least one of the keywords) |
| Search expression | "keyword1 keyword2" NOT "keyword2 keyword3" |
| Matches | (returns hits that contain the first phrase, but not the second) |
| Search expression | +keyword1 keyword2 |
| Matches | (returns hits that contain keyword1, and may contain keyword2) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".
Use parentheses to create more complex search expressions:
| Search expression | (keyword1 OR keyword2) AND keyword3 |
| Matches | (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3) |
You can use the ? and * wildcards in your search expressions.
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
You cannot use a * or ? symbol as the first character of a search.
| Search expression | example? |
| Matches |
example1 examples example? |
| Does not match |
example.com example12 query-by-example |
| Search expression | example?? |
| Matches |
example12 |
| Does not match |
example.com example1 query-by-example |
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.
| Search expression | example* |
| Matches |
example examples example.com |
| Does not match |
query-by-example example* |
Wildcard characters can be combined.
| Search expression | ex?mple* |
| Matches |
example1 examples example.com exemple.com example12 |
| Does not match |
exmples query-by-example |
To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
To search for a special character, use a backslash (\).
| Search expression | example\? |
| Matches |
example? |
| Does not match |
examples example1 |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression | C\:\\Windows |
| Matches |
C:\Windows |
To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).
| Search expression | \/var\/log\/messages |
| Matches |
/var/log/messages |
| Search expression | \(1\+1\)\:2 |
| Matches |
(1+1):2 |
For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].
You can also combine these search filters with other expressions and wildcards, for example, title:properties AND gateway.
| Search expression | command:"sudo su" |
| Matches |
sudo su as a terminal command |
| Does not match | sudo su in general screen content |
| Search expression | title:settings |
| Matches |
settings appearing in the title of an active window |
| Does not match | settings in general screen content |
To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.
| Search expression | properties AND NOT title:[* TO *] |
| Matches |
properties appearing in the screen content, but not as a window title. |
| Does not match | properties in window titles. |
You can also combine these search filters with other expressions and wildcards.
| Search expression | title:properties AND gateway |
| Matches |
A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title). |
| Does not match |
Screens where both properties and gateway appear, but properties is not in the window title. |
Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.
| Search expression | roam~ |
| Matches |
roams foam |
Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.
| Search expression | "keyword1 keyword2"~10 |
| Matches | (returns hits that contain keyword1 and keyword2 within 10 words from each other) |
By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.
| Search expression | keyword1^4 keyword2 |
| Matches | (returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant) |
| Search expression | "keyword1 keyword2"^5 "keyword3 keyword4" |
| Matches | (returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5-times more relevant) |
You can quickly sort and visualize the distribution of the sessions based on their various metadata, for example, username, server address, and so on.
To display statistics on search results
Click the 
Select the type of metadata you want to create statistics on from the Value distribution based on field, for example, select Username to display sessions based on username.
Figure 223: Search — Displaying statistics
To exclude items from the pie chart, click the 
For example, if you want to exclude results by a user called testbot, select the
Figure 224: Search — Excluding items from the pie chart
The pie chart now does not display results for the excluded item. The percentages always add up to 100%.
You can continue to restrict or refine your search results and view statistics as required.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
