Specify a time range to restrict, or filter your search criteria by setting boundaries on your searches. You can restrict the search to one of the preset time ranges, or use a custom time range for a more specific search.
When you specify a time range, the search result includes:
Connections started and finished anywhere between the start time and end time you specified.
Connections started anywhere between the start time and end time you specified.
Connections ended anywhere between the start time and end time you specified.
Active connections if they were started anywhere between the start time and the end time you specified.
For example, at 17:00 PM you specify a start date of 10:00 AM and end date of 15:00 PM for your search. The search result includes:
Connections started at 8:00 AM and ended at 14:00 PM.
Connections started at 11:00 AM and ended at 14:00 PM.
Connections started at 11:00 AM and ended at 16:00 PM.
Active connections started at 11:00 AM.
Active connections started at 10:00 AM.
To specify time ranges
To select the start date of your search, click Pick a date.
Alternatively, use the 
Figure 257: Search — Pick a date
From the calendar, select the start date as required.
NOTE: The date refers to the timezone configured on SPS.
For exact time ranges, specify to search by the hour and minute.
Figure 258: Search — Specify hour and minute
To select the end date of your search, click Pick a date and select a date as required.
If you specify only the start date, the end date is set to the current time.
Optional: To clear the start and end date, click
Optional: You can use the timeline for a quick time range selection and visual representation of sessions in the selected interval.
Click the 
Figure 259: Search — Using the timeline
The bars display the number of results in the selected interval.
The active sessions columns indicate all the sessions, which were active in the selected interval. The sessions started columns indicate all the sessions started during the selected interval. For example, if the selected interval is today between 8:00 AM and 9:00 AM, then a session started at 7:00 AM but lasting after 8:00 AM is displayed in the active sessions column. A session started at 8:30 AM is displayed in the sessions started column. Since the session was active during the selected time interval, the session started at 8:30 AM is also displayed in the active sessions column.
To disable the active sessions and view only the started sessions in the timeline, click 
Hovering the mouse above a bar displays the number of entries and the start and end date of the period that the bar represents.
Trend analysis allows you to use the timeline to find changes over time. For example, to find the time range where terminated connections had a significant peak compared to other days, from the Show trend for drop-down menu, select Verdict. Note that you can only view trend analysis for Active, Analytics Score, Client name, Protocol, Server hostname, Server port, Server username, Username and Verdict. All the other selections are grayed out.
The colors of the bars in the timeline allow you to quickly find the time range with a higher number of terminated sessions.
Optional: To clear the trend analysis view, from the Show trend for drop-down menu, select X.
Figure 260: Search — Using the timeline - trend analysis
To select a range, drag the mouse pointer across the timeline or use Shift+Click and select multiple bars.
The following describes how you can use search queries to perform a more specific search.
To search using search queries
Enter a search query in the Search query field, or click on an entry in the table.
To search, enter a valid search field followed by a value in the search field: VALUE format. For example, if you enter protocol: SSH, the search returns all the SSH sessions.
TIP: Search is case insensitive. To make the search case sensitive, enclose the search keywords in double quotes.
The search queries can include only alphanumerical characters. You can use complex expressions and boolean operators, for example, AND, OR, <,>, and so on.
For the list of search fields that you can use, see
For more information on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
There are search fields that are not displayed but you can still use them to query the sessions. For example, you can search for active connections using the active search field, and search results are listed accordingly, but there is no active field displayed in the search table or in the Overview, Details, and Timeline tabs.
Figure 261: Search — Search queries
Alternatively, click 
Figure 262: Search — Search filters - Basic view
After specifying the relevant query, click Search or press Enter.
TIP: To save the queries for future use, simply save the URL or bookmark it in your browser.
Session metadata is displayed in columns that you can query for any parameter, or a combination of parameters. You can view the metadata in the search columns and also displayed as fields in the Overview, Details, and Timeline tabs.
This section lists the search fields that you can use to perform a more specific search. For information about how to use the search fields listed below, see Using search queries.
The following table provides an explanation to the search field tables listed in this section.
| Name: |
Specifies the meaningful and easily readable name of the search field. |
| Search field: |
Specifies the filter expression that you can use to filter the audit trails. For example, to narrow your search to a specific server-side IP address, you can enter the server.address: 10.30.255.70 search query in the Search query field. All search results that contain that specific server IP address are listed. |
| Displayed: |
Specifies if the search query result is displayed as a field in the search columns or in the Overview, Details, and Timeline tabs. There are search fields that are not displayed but you can still use them to filter the audit trails. For example, you can search for active connections using the active search field, and search results are listed accordingly, but there is no active field displayed in the search table or in the Overview, Details, and Timeline tabs. |
The following search fields are available:
|
Name: |
Alert type |
|
Search field: |
alert_type |
|
Type: |
enum |
|
Displayed: |
True |
The type of the alert.
Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
|
Name: |
Channel ID |
|
Search field: |
channel_id |
|
Type: |
string |
|
Displayed: |
True |
The id of the channel the alert belongs to.
|
Name: |
Matched regexp on action |
|
Search field: |
matched_action |
|
Type: |
string |
|
Displayed: |
True |
The regular expression that matched the command line without prompt
|
Name: |
Matched content |
|
Search field: |
matched_content |
|
Type: |
string |
|
Displayed: |
True |
The content the alert matched.
Note that this value contains the context of the match as well. For example, if a Content Policy triggers an alert if a user types the sudo command, then the psm.alerts.matched_content value contains the entire command line, including the command prompt, for example, myuser@examplehost:~$ man sudo.
|
Name: |
Matched regexp |
|
Search field: |
matched_regexp |
|
Type: |
string |
|
Displayed: |
True |
The regular expression that matched the content.
For details, see Real-time content monitoring with Content Policies.
|
Name: |
Alert ID |
|
Search field: |
record_id |
|
Type: |
long |
|
Displayed: |
True |
The identifier of the alert within the audit trail (.zat file).
|
Name: |
Channel is active |
|
Search field: |
active |
|
Type: |
boolean |
|
Displayed: |
True |
True if the session has not ended yet.
|
Name: |
Application |
|
Search field: |
application |
|
Type: |
string |
|
Displayed: |
True |
The name of the application accessed in a seamless Citrix ICA connection.
|
Name: |
Audit stream ID |
|
Search field: |
audit_stream_id |
|
Type: |
string |
|
Displayed: |
True |
The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
|
Name: |
Channel ID |
|
Search field: |
channel_id |
|
Type: |
long |
|
Displayed: |
True |
The unique ID of the channel.
|
Name: |
Client X.509 Subject |
|
Search field: |
client_x509_subject |
|
Type: |
string |
|
Displayed: |
True |
The client's certificate in TELNET or VNC sessions. Available only if the 'Client-side transport security settings > Peer certificate validation' option is enabled in One Identity Safeguard for Privileged Sessions.
|
Name: |
Executed commands |
|
Search field: |
command |
|
Type: |
string |
|
Displayed: |
True |
Lists the commands executed in an SSH session.
|
Name: |
Port-forward target IP |
|
Search field: |
connected.ip |
|
Type: |
ip |
|
Displayed: |
True |
The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
|
Name: |
Port-forward target name |
|
Search field: |
connected.name |
|
Type: |
text |
|
Displayed: |
True |
The traffic was forwarded to this host in Remote Forward and Local Forward channels. If the hostname is not available, this field contains the IP address of the host
|
Name: |
Port-forward target port |
|
Search field: |
connected.port |
|
Type: |
port |
|
Displayed: |
True |
The traffic was forwarded to this port in Remote Forward and Local Forward channels.
|
Name: |
Device name |
|
Search field: |
device_name |
|
Type: |
string |
|
Displayed: |
True |
The name or ID of the shared device (redirect) used in the RDP connection.
Description: Used with the serial redirect, parallel redirect, printer redirect, disk redirect, and scard redirect RDP channel types.
The name of the device.
|
Name: |
Channel duration |
|
Search field: |
duration |
|
Type: |
long |
|
Displayed: |
True |
The length of the channel (how long the channel lasted).
|
Name: |
Dynamic channel |
|
Search field: |
dynamic_channel |
|
Type: |
string |
|
Displayed: |
True |
The name or ID of the dynamic channel opened in the RDP session.
|
Name: |
Channel end time |
|
Search field: |
end_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the channel was closed.
|
Name: |
Environment |
|
Search field: |
environment |
|
Type: |
string |
|
Displayed: |
True |
Date when the channel was closed.
|
Name: |
Four-eyes authorizer |
|
Search field: |
four_eyes_authorizer |
|
Type: |
string |
|
Displayed: |
True |
The username of the user who authorized the session. Available only if four-eyes authorization is required for the channel.
|
Name: |
Four-eyes description |
|
Search field: |
four_eyes_description |
|
Type: |
string |
|
Displayed: |
True |
The description submitted by the authorizer of the session.
|
Name: |
Channel originator IP address |
|
Search field: |
originator.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
|
Name: |
Channel originator name |
|
Search field: |
originator.name |
|
Type: |
text |
|
Displayed: |
True |
The hostname of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Originator port |
|
Search field: |
originator.port |
|
Type: |
port |
|
Displayed: |
True |
The number of the forwarded port in Remote Forward and Local Forward SSH channels.
|
Name: |
Rule number |
|
Search field: |
rule_num |
|
Type: |
string |
|
Displayed: |
True |
The number of the line in the Channel policy applied to the channel.
|
Name: |
SCP path |
|
Search field: |
scp_path |
|
Type: |
string |
|
Displayed: |
True |
Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option isenabled in the Channel Policy of the connection.
|
Name: |
Channel start time |
|
Search field: |
start_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the channel was started.
|
Name: |
Subsystem name |
|
Search field: |
subsystem_name |
|
Type: |
string |
|
Displayed: |
True |
Name of the SSH subsystem used in the channel.
|
Name: |
Channel type |
|
Search field: |
type |
|
Type: |
enum |
|
Displayed: |
True |
Type of the channel.
Possible values:
#drawing: Drawing
CTXCAM: Audio
CTXCDM: Drive
CTXCLIP: Clipboard
CTXCOM1: Printer (COM1)
CTXCOM2: Printer (COM2)
CTXCPM: Printer Spooler
CTXFLSH: HDX Mediastream
CTXLPT1: Printer (LPT1)
CTXLPT2: Printer (LPT2)
CTXSCRD: Smartcard
CTXTW: Drawing (Thinwire)
CTXTWI: Seamless
CTXUSB: USB
SPDBRS: Speedbrowse
auth-agent: Agent
cliprdr: Clipboard
custom: Custom
direct-tcpip: Local forward
drawing: Drawing
drdynvc: Dynamic virtual channel
forwarded-tcpip: Remote forward
http: HTTP
rdpdr: Redirects
rdpdr-disk: Disk redirect
rdpdr-parallel: Parallel redirect
rdpdr-printer: Printer redirect
rdpdr-scard: SCard redirect
rdpdr-serial: Serial redirect
rdpsnd: Sound
seamrdp: Seamless
session-exec: Session exec
session-exec-scp: Session exec SCP
session-shell: Session shell
session-subsystem: Session subsystem
session-subsystem-sftp: Session SFTP
telnet: Telnet
vnc: VNC
websocket: WebSocket
x11: X11 forward
|
Name: |
Channel verdict |
|
Search field: |
verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the channel.
Possible values:
ACCEPT: Accepted
DENY: Denied
FOUR_EYES_DEFERRED: Waiting for remote username
FOUR_EYES_ERROR: Internal error during four-eyes authorization
FOUR_EYES_REJECT: Four-eyes authorization rejected
FOUR_EYES_TIMEOUT: Four-eyes authorization timed out
|
Name: |
Window title |
|
Search field: |
title |
|
Type: |
string |
|
Displayed: |
True |
The content of the title bar in the active window. The window title typically contains the name of the application, or the name of the dialogue box. Only available in graphical sessions (for example, RDP), if indexing is enabled.
|
Name: |
Event Action |
|
Search field: |
action |
|
Type: |
string |
|
Displayed: |
True |
The command line without prompt in commands
|
Name: |
Channel ID |
|
Search field: |
channel_id |
|
Type: |
string |
|
Displayed: |
True |
The id of the channel the event belongs to.
|
Name: |
Event content |
|
Search field: |
content |
|
Type: |
string |
|
Displayed: |
True |
The command executed, or the window title detected in the channel (for example, ls, exit, or Firefox).
|
Name: |
Protocol details |
|
Search field: |
details |
|
Type: |
string |
|
Displayed: |
True |
The details of the protocol used for the operation.
|
Name: |
Event ID |
|
Search field: |
event_id |
|
Type: |
string |
|
Displayed: |
True |
The identifier of the vault event.
|
Name: |
Operation |
|
Search field: |
operation |
|
Type: |
string |
|
Displayed: |
True |
The type of the operation that occurred, for example, Create file (in the case of FTP) or GET (in the case of HTTP).
|
Name: |
Path |
|
Search field: |
path |
|
Type: |
string |
|
Displayed: |
True |
The path (if any) used by the operation that occurred.
|
Name: |
Event ID |
|
Search field: |
record_id |
|
Type: |
long |
|
Displayed: |
True |
The identifier of the event within the audit trail (.zat file).
|
Name: |
Response code |
|
Search field: |
response_code |
|
Type: |
long |
|
Displayed: |
True |
The status code of the protocol response (if any) returned.
|
Name: |
Commands indexed |
|
Search field: |
config.command.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if commands were extracted while indexing the session.
|
Name: |
Keyboard buffering interval |
|
Search field: |
config.keyboard.buffer_interval |
|
Type: |
double |
|
Displayed: |
True |
The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
|
Name: |
Keyboard extracted |
|
Search field: |
config.keyboard.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if keyboard events were extracted while indexing the session.
|
Name: |
Mouse buffering interval |
|
Search field: |
config.mouse.buffer_interval |
|
Type: |
double |
|
Displayed: |
True |
The buffering interval in milliseconds used when extracting mouse events while indexing the session.
|
Name: |
Mouse extracted |
|
Search field: |
config.mouse.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if mouse events were extracted while indexing the session.
|
Name: |
Near real-time indexing |
|
Search field: |
config.near_realtime |
|
Type: |
boolean |
|
Displayed: |
True |
True if indexing this session was done near real-time (when the session was still active).
|
Name: |
OCR languages |
|
Search field: |
config.ocr_languages |
|
Type: |
string |
|
Displayed: |
True |
The language configuration for optical character recognition used when indexing the session.
|
Name: |
Screen content indexed |
|
Search field: |
config.screen.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if screen content was extracted while indexing the session.
|
Name: |
OCR tradeoff |
|
Search field: |
config.screen.omnipage_trade_off |
|
Type: |
string |
|
Displayed: |
True |
The tradeoff used for optical character recognition when extracting screen content while indexing the session.
|
Name: |
Titles indexed |
|
Search field: |
config.title.enabled |
|
Type: |
boolean |
|
Displayed: |
True |
True if window titles were extracted while indexing the session.
|
Name: |
Indexing error |
|
Search field: |
error.message |
|
Type: |
string |
|
Displayed: |
True |
The reason why indexing failed
|
Name: |
Indexing cpu time |
|
Search field: |
statistics.cpu_time |
|
Type: |
long |
|
Displayed: |
True |
The CPU time that indexing this session took in milliseconds.
|
Name: |
Indexing duration |
|
Search field: |
statistics.duration |
|
Type: |
long |
|
Displayed: |
True |
The duration of time that indexing this session took in milliseconds.
|
Name: |
Indexing start time |
|
Search field: |
statistics.start_time |
|
Type: |
date |
|
Displayed: |
True |
The time and date when indexing this session started.
|
Name: |
Indexing status |
|
Search field: |
status |
|
Type: |
string |
|
Displayed: |
True |
Shows if the channel has been indexed successfully or not.
|
Name: |
Indexer ADP version |
|
Search field: |
version.adp |
|
Type: |
string |
|
Displayed: |
True |
The version of the audit data processor used for indexing the session
|
Name: |
Screen content |
|
Search field: |
content |
|
Type: |
string |
|
Displayed: |
False |
Text that appeared on the screen in the session.
|
Name: |
Channel id in trail |
|
Search field: |
channel_id_in_trail |
|
Type: |
long |
|
Displayed: |
False |
The ID of the channel where this content appeared. To check the channel ID (channel_id), select a session and click details. Navigate to details > Channels and click the channel type.
|
Name: |
Analytics Interesting events |
|
Search field: |
analytics.interesting_events |
|
Type: |
string |
|
Displayed: |
True |
Collection of interesting command(s) and window title(s) from the session.
|
Name: |
Analytics Score |
|
Search field: |
analytics.score.aggregated |
|
Type: |
long |
|
Displayed: |
True |
The risk score that the Analytics Module assigned to the session.Ranges from 0 to 100, 100 is the highest risk score.
|
Name: |
Score time |
|
Search field: |
analytics.score.time |
|
Type: |
date |
|
Displayed: |
False |
The scoring time of the given analytics. The different analytics are scored at different times based on the type of the analytics and certain configuration settings.
|
Name: |
Command score |
|
Search field: |
analytics.score.details.command.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Command algorithm.
|
Name: |
FIS score |
|
Search field: |
analytics.score.details.fis.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Frequent Item Set (FIS) algorithm
|
Name: |
Host login score |
|
Search field: |
analytics.score.details.hostlogin.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Host login algorithm.
|
Name: |
Login time score |
|
Search field: |
analytics.score.details.logintime.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Login time algorithm.
|
Name: |
Keystroke score |
|
Search field: |
analytics.score.details.keystroke.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Keystroke algorithm.
|
Name: |
Mouse score |
|
Search field: |
analytics.score.details.mouse.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Mouse algorithm.
|
Name: |
Windowtitle score |
|
Search field: |
analytics.score.details.windowtitle.score |
|
Type: |
long |
|
Displayed: |
True |
Score given by the Window title algorithm.
|
Name: |
Scripted |
|
Search field: |
analytics.scripted |
|
Type: |
boolean |
|
Displayed: |
True |
True if the One Identity Safeguard for Privileged Analytics module marked the session as scripted because of non-human activity
|
Name: |
Similar Sessions |
|
Search field: |
analytics.similar_sessions |
|
Type: |
string |
|
Displayed: |
True |
Collection of similar sessions from different sources.
|
Name: |
Bucketed duration |
|
Search field: |
analytics.bucketed_duration |
|
Type: |
string |
|
Displayed: |
True |
Categorized length of session
|
Name: |
Bucketed starting hour |
|
Search field: |
analytics.bucketed_starting_hour |
|
Type: |
string |
|
Displayed: |
True |
Session start time categorized by hours
|
Name: |
Analytics tags |
|
Search field: |
analytics.tags |
|
Type: |
string |
|
Displayed: |
True |
The Analytics tags section in Search > details.
|
Name: |
Client IP |
|
Search field: |
client.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the client that initiated the session.
|
Name: |
Client name |
|
Search field: |
client.name |
|
Type: |
string |
|
Displayed: |
True |
The name of the client that initiated the session.
|
Name: |
Client port |
|
Search field: |
client.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of the client that initiated the session.
|
Name: |
Creation time |
|
Search field: |
creation_time |
|
Type: |
date |
|
Displayed: |
True |
The first time the pipeline created the session. It is different from start_time and can be later than start_time.
|
Name: |
Duration |
|
Search field: |
duration |
|
Type: |
long |
|
Displayed: |
True |
The length of the session (how long the session lasted).
|
Name: |
End time |
|
Search field: |
end_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the session was closed.
For ongoing connections, the value is null.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2018-10-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
|
Name: |
Log adapter |
|
Search field: |
log.adapter_name |
|
Type: |
string |
|
Displayed: |
True |
The name of the Log Adapter Plugin. This plugin can be uploaded at Basic Settings > Plugins.
|
Name: |
Log auth method |
|
Search field: |
log.auth_method |
|
Type: |
string |
|
Displayed: |
True |
SSH relayed authentication method. It is configured at SSH Control > Authentication Policies > Relayed authentication methods.
|
Name: |
Log syslog time |
|
Search field: |
log.syslog_time |
|
Type: |
date |
|
Displayed: |
True |
Date of the message in the ISO 8601 compatible standard timestamp format.
|
Name: |
Node ID |
|
Search field: |
node_id |
|
Type: |
string |
|
Displayed: |
True |
The node ID of the Safeguard for Privileged Sessions machine
|
Name: |
Origin |
|
Search field: |
origin |
|
Type: |
string |
|
Displayed: |
True |
The source from where One Identity Safeguard for Privileged Sessions (SPS) received this session: sessions recorded by SPS, sessions recorded by and fetched from One Identity Safeguard for Privileged Passwords, or logs for sessions built from log data.
|
Name: |
Protocol |
|
Search field: |
protocol |
|
Type: |
enum |
|
Displayed: |
True |
The protocol used in the session: Citrix ICA, HTTP, RDP, SSH, Telnet (including TN3270 and TN5250), MSSQL or VNC.
Possible values:
HTTP: HTTP
ICA: ICA
RDP: RDP
SSH: SSH
TELNET: TELNET
VNC: VNC
MSSQL: MSSQL
|
Name: |
Appliance id |
|
Search field: |
vault.appliance_id |
|
Type: |
string |
|
Displayed: |
True |
The appliance's id
|
Name: |
Appliance name |
|
Search field: |
vault.appliance_name |
|
Type: |
string |
|
Displayed: |
True |
The appliance's name
|
Name: |
Access request type |
|
Search field: |
vault.access_request_type |
|
Type: |
string |
|
Displayed: |
True |
Access request type can be: SSH, RDP, Password
|
Name: |
Asset partition id |
|
Search field: |
vault.asset_partition_id |
|
Type: |
long |
|
Displayed: |
True |
ID of asset partition which represents a collection of assets and accounts along with management configuration
|
Name: |
Asset partition name |
|
Search field: |
vault.asset_partition_name |
|
Type: |
string |
|
Displayed: |
True |
Name of the asset partition which represents a collection of assets and accounts along with management configuration
|
Name: |
Broker id |
|
Search field: |
vault.broker_id |
|
Type: |
long |
|
Displayed: |
True |
ID of the broker who made the access request
|
Name: |
Broker name |
|
Search field: |
vault.broker_name |
|
Type: |
string |
|
Displayed: |
True |
The broker's name who made the access request
|
Name: |
Account id |
|
Search field: |
vault.account_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the account being requested
|
Name: |
Account name |
|
Search field: |
vault.account_name |
|
Type: |
string |
|
Displayed: |
True |
Name of the account being requested
|
Name: |
System id |
|
Search field: |
vault.system_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the system that has been requested access to. Should be displayed as assetId
|
Name: |
System name |
|
Search field: |
vault.system_name |
|
Type: |
string |
|
Displayed: |
True |
Name of the system that has been requested access to. Should be displayed as assetName
|
Name: |
Ticket number |
|
Search field: |
vault.ticket_number |
|
Type: |
string |
|
Displayed: |
True |
Number of the help desk ticket as required by policy
|
Name: |
Reason name |
|
Search field: |
vault.reason_name |
|
Type: |
string |
|
Displayed: |
True |
Reason's name for why the access request is needed
|
Name: |
Is emergency |
|
Search field: |
vault.is_emergency |
|
Type: |
boolean |
|
Displayed: |
True |
True when the access request was submitted as being an emergency
|
Name: |
Offline workflow |
|
Search field: |
vault.offline_workflow |
|
Type: |
boolean |
|
Displayed: |
True |
True when the access request is an offline workflow
|
Name: |
Auto approved |
|
Search field: |
vault.auto_approved |
|
Type: |
date |
|
Displayed: |
True |
Date when access request was auto-approved to see the workflow's life in a timeline
|
Name: |
Emergency access granted |
|
Search field: |
vault.emergency_access_granted |
|
Type: |
date |
|
Displayed: |
True |
Date when the emergency access request was granted to see the workflow's life in a timeline
|
Name: |
Available |
|
Search field: |
vault.available |
|
Type: |
date |
|
Displayed: |
True |
Date when the request is available for access
|
Name: |
Checked in |
|
Search field: |
vault.checked_in |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request is checked-in to see the workflow's life in a timeline
|
Name: |
Expired |
|
Search field: |
vault.expired |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request will expire
|
Name: |
Created user id |
|
Search field: |
vault.created.user.user_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the user who created the access request
|
Name: |
Created user name |
|
Search field: |
vault.created.user.user_name |
|
Type: |
text |
|
Displayed: |
True |
Name of the user who made the access request
|
Name: |
Created domain name |
|
Search field: |
vault.created.user.domain_name |
|
Type: |
string |
|
Displayed: |
True |
Domain mame of the user who made the access request
|
Name: |
Created user display name |
|
Search field: |
vault.created.user.user_display_name |
|
Type: |
text |
|
Displayed: |
True |
Display name of the user who made the access request
|
Name: |
Created client ip address |
|
Search field: |
vault.created.user.client_ip_address |
|
Type: |
ip |
|
Displayed: |
True |
IP address of the user who created the access request
|
Name: |
Created comment |
|
Search field: |
vault.created.comment |
|
Type: |
text |
|
Displayed: |
True |
Comment for the created access request
|
Name: |
Created timestamp |
|
Search field: |
vault.created.timestamp |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request was created
|
Name: |
Denied user id |
|
Search field: |
vault.denied.user.user_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the user who denied the access request
|
Name: |
Denied user name |
|
Search field: |
vault.denied.user.user_name |
|
Type: |
text |
|
Displayed: |
True |
Name of the user who denied the access request
|
Name: |
Denied domain name |
|
Search field: |
vault.denied.user.domain_name |
|
Type: |
string |
|
Displayed: |
True |
The user's domain name who denied the access request
|
Name: |
Denied user display name |
|
Search field: |
vault.denied.user.user_display_name |
|
Type: |
text |
|
Displayed: |
True |
Display name of the user who denied the access request
|
Name: |
Denied client ip address |
|
Search field: |
vault.denied.user.client_ip_address |
|
Type: |
ip |
|
Displayed: |
True |
IP address of the user who denied the access request
|
Name: |
Denied comment |
|
Search field: |
vault.denied.comment |
|
Type: |
text |
|
Displayed: |
True |
Comment made by approver to describe denial
|
Name: |
Denied timestamp |
|
Search field: |
vault.denied.timestamp |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request was denied
|
Name: |
Revoked user id |
|
Search field: |
vault.revoked.user.user_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the user who revoked the access request
|
Name: |
Revoked user name |
|
Search field: |
vault.revoked.user.user_name |
|
Type: |
text |
|
Displayed: |
True |
Username of the user who revoked the access request
|
Name: |
Revoked domain name |
|
Search field: |
vault.revoked.user.domain_name |
|
Type: |
string |
|
Displayed: |
True |
The user's domain name who revoked the access request
|
Name: |
Revoked user display name |
|
Search field: |
vault.revoked.user.user_display_name |
|
Type: |
text |
|
Displayed: |
True |
Display name of the user who revoked the access request
|
Name: |
Revoked client ip address |
|
Search field: |
vault.revoked.user.client_ip_address |
|
Type: |
ip |
|
Displayed: |
True |
IP address of the user who revoked the access request
|
Name: |
Revoked comment |
|
Search field: |
vault.revoked.comment |
|
Type: |
text |
|
Displayed: |
True |
Comment made by approver to describe the revoke
|
Name: |
Revoked timestamp |
|
Search field: |
vault.revoked.timestamp |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request was revoked
|
Name: |
Closed user id |
|
Search field: |
vault.closed.user.user_id |
|
Type: |
long |
|
Displayed: |
True |
User ID of user who closed the access request. Closing access request used by an admin when a review cannot be completed
|
Name: |
Closed user name |
|
Search field: |
vault.closed.user.user_name |
|
Type: |
text |
|
Displayed: |
True |
Username of the user who closed the access request. Closing access request used by an admin when a review cannot be completed
|
Name: |
Closed domain name |
|
Search field: |
vault.closed.user.domain_name |
|
Type: |
string |
|
Displayed: |
True |
The user's domain name who closed the access request
|
Name: |
Closed user display name |
|
Search field: |
vault.closed.user.user_display_name |
|
Type: |
text |
|
Displayed: |
True |
Display name of the user who closed the access request
|
Name: |
Closed client ip address |
|
Search field: |
vault.closed.user.client_ip_address |
|
Type: |
ip |
|
Displayed: |
True |
IP address of the user who closed the access request
|
Name: |
Closed comment |
|
Search field: |
vault.closed.comment |
|
Type: |
text |
|
Displayed: |
True |
Comment for the request
|
Name: |
Closed timestamp |
|
Search field: |
vault.closed.timestamp |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request was closed
|
Name: |
Reviewed user id |
|
Search field: |
vault.reviewed.user.user_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the user who reviewed the access request
|
Name: |
Reviewed user name |
|
Search field: |
vault.reviewed.user.user_name |
|
Type: |
text |
|
Displayed: |
True |
Username of the user who reviewed the access request
|
Name: |
Reviewed domain name |
|
Search field: |
vault.reviewed.user.domain_name |
|
Type: |
string |
|
Displayed: |
True |
User's domain name who reviewed the access request
|
Name: |
Reviewed user display name |
|
Search field: |
vault.reviewed.user.user_display_name |
|
Type: |
text |
|
Displayed: |
True |
Display name of the user who reviewed the access request
|
Name: |
Reviewed client ip address |
|
Search field: |
vault.reviewed.user.client_ip_address |
|
Type: |
ip |
|
Displayed: |
True |
IP address of the user who reviewed the access request
|
Name: |
Reviewed comment |
|
Search field: |
vault.reviewed.comment |
|
Type: |
text |
|
Displayed: |
True |
Comment made by reviewer to describe review
|
Name: |
Reviewed timestamp |
|
Search field: |
vault.reviewed.timestamp |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request was reviewed
|
Name: |
Approved user id |
|
Search field: |
vault.approved.user.user_id |
|
Type: |
long |
|
Displayed: |
True |
Database ID of the user who approved the access request
|
Name: |
Approved user name |
|
Search field: |
vault.approved.user.user_name |
|
Type: |
text |
|
Displayed: |
True |
Username of the user who approved the access request
|
Name: |
Approved domain name |
|
Search field: |
vault.approved.user.domain_name |
|
Type: |
string |
|
Displayed: |
True |
User's domain name who approved the access request
|
Name: |
Approved user display name |
|
Search field: |
vault.approved.user.user_display_name |
|
Type: |
text |
|
Displayed: |
True |
Display name of the user who approved the access request
|
Name: |
Approved client ip address |
|
Search field: |
vault.approved.user.client_ip_address |
|
Type: |
ip |
|
Displayed: |
True |
IP address of the user who approved the access request
|
Name: |
Approved comment |
|
Search field: |
vault.approved.comment |
|
Type: |
text |
|
Displayed: |
True |
Comment made by approver to describe approval
|
Name: |
Approved timestamp |
|
Search field: |
vault.approved.timestamp |
|
Type: |
date |
|
Displayed: |
True |
Date when the access request was approved
|
Name: |
Additional metadata |
|
Search field: |
recording.additional_metadata |
|
Type: |
string |
|
Displayed: |
False |
Data about the session recorded by the different plugins of One Identity Safeguard for Privileged Sessions, for example, when using an Authentication and Authorization plugin.
|
Name: |
Recording Archive date |
|
Search field: |
recording.archive.date |
|
Type: |
date |
|
Displayed: |
True |
The date when the connection was archived or cleaned up.
|
Name: |
Recording Archive path |
|
Search field: |
recording.archive.path |
|
Type: |
string |
|
Displayed: |
True |
The path where the audit trail was archived on the remote server.
|
Name: |
Recording Archive policy |
|
Search field: |
recording.archive.policy |
|
Type: |
string |
|
Displayed: |
True |
The archive policy used to archive the audit trail.
|
Name: |
Recording Archive server |
|
Search field: |
recording.archive.server |
|
Type: |
ip |
|
Displayed: |
True |
The hostname or IP address of the remote server where the audit trail was archived.
|
Name: |
Recording Archived |
|
Search field: |
recording.archived |
|
Type: |
boolean |
|
Displayed: |
True |
Shows if the data (metadata, audit trail) about the session was archived to a remote server.
|
Name: |
Audit trail path |
|
Search field: |
recording.audit_trail |
|
Type: |
string |
|
Displayed: |
False |
The path to the audit trail file on One Identity Safeguard for Privileged Sessions. If One Identity Safeguard for Privileged Sessions has already archived the audit trail, see the Archive path field instead.
. If the session does not have an audit trail, this element is not used. To download the audit trail, see Replaying audit trails in your browser.
|
Name: |
Audit trail download link |
|
Search field: |
trail_download_link |
|
Type: |
string |
|
Displayed: |
True |
The download link to the audit trail file on One Identity Safeguard for Privileged Sessions.
|
Name: |
Recording Authentication method |
|
Search field: |
recording.auth_method |
|
Type: |
string |
|
Displayed: |
True |
The authentication method used in the session.
|
Name: |
Recording Channel policy |
|
Search field: |
recording.channel_policy |
|
Type: |
string |
|
Displayed: |
True |
The Channel policy applied to the session. Channel policy determines the channels permitted in the connection, and if the channel is audited or not. The Channel policy can restrict access based on IP address, user list, user group, or time policy.
You can find the list of channel policies for each protocol at the <Protocol> Control > Channel Policies page.
|
Name: |
Commands available |
|
Search field: |
recording.command_extracted |
|
Type: |
boolean |
|
Displayed: |
True |
True if commands have been extracted from the session. The extracted commands are in the Events field.
|
Name: |
Recording Connection policy |
|
Search field: |
recording.connection_policy |
|
Type: |
string |
|
Displayed: |
True |
The name of the Connection policy that handled the client's connection request.
This is the name displayed on the <Protocol> Control > Connections page of the SPS web interface, and in the name field of the Connection Policy object. You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
|
Name: |
Recording Connection policy ID |
|
Search field: |
recording.connection_policy_id |
|
Type: |
string |
|
Displayed: |
True |
The ID of the Connection policy that handled the client's connection request.
You can find the list of connection policies for each protocol at the <Protocol> Control > Connections page.
|
Name: |
Recording Content reference ID |
|
Search field: |
recording.content_reference_id |
|
Type: |
long |
|
Displayed: |
True |
The unique identifier for the session content search.
|
Name: |
Deny Reason |
|
Search field: |
recording.deny_reason |
|
Type: |
string |
|
Displayed: |
True |
The failure reason in case of a DENY verdict sent by an AA plugin.
|
Name: |
Recording Indexing status |
|
Search field: |
recording.index_status |
|
Type: |
enum |
|
Displayed: |
True |
Shows if the channel has been indexed.
Possible values:
CHANNEL_OPEN: Session is active
INDEXED: Session indexed
INDEXING_FAILED: Session indexing failed
INDEXING_IN_PROGRESS: Session indexing in progress
INDEXING_NOT_REQUIRED: Session indexing not required
NOT_INDEXED: Session is not indexed
NO_TRAIL: Auditing not enabled
INDEXING_ABORTED: Session indexing in progress was aborted
|
Name: |
Has ZAC |
|
Search field: |
recording.has_zac |
|
Type: |
boolean |
|
Displayed: |
False |
Audit Content file is available for the session. This file allows the user to search the content of graphical sessions using the Safeguard Desktop Player.
|
Name: |
Recording Network namespace |
|
Search field: |
recording.network_id |
|
Type: |
string |
|
Displayed: |
True |
The ID of the Linux network namespace where the session originated from.
|
Name: |
Server local IP address |
|
Search field: |
recording.server_local.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of One Identity Safeguard for Privileged Sessions used in the server-side connection.
|
Name: |
Server local name |
|
Search field: |
recording.server_local.name |
|
Type: |
text |
|
Displayed: |
True |
The hostname of One Identity Safeguard for Privileged Sessions used in the server-side connection. If the hostname is not available, this field contains the IP address of One Identity Safeguard for Privileged Sessions.
|
Name: |
Recording Server local port |
|
Search field: |
recording.server_local.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of One Identity Safeguard for Privileged Sessions used in the server-side connection.
|
Name: |
Recording Session ID |
|
Search field: |
recording.session_id |
|
Type: |
string |
|
Displayed: |
True |
A globally unique string that identifies the session. Log messages related to the session contain this ID.
|
Name: |
Target IP address |
|
Search field: |
recording.target.ip |
|
Type: |
ip |
|
Displayed: |
True |
The client originally tried to access this IP address. This can differ from the destination address, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The address that the client actually connected to is in the Server address field.
|
Name: |
Target name |
|
Search field: |
recording.target.name |
|
Type: |
text |
|
Displayed: |
True |
The client originally tried to access this host. This can differ from the destination address, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The address that the client actually connected to is in the Server address field. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Recording Target port |
|
Search field: |
recording.target.port |
|
Type: |
port |
|
Displayed: |
True |
The client originally tried to access this port. This can differ from the port of the destination server, for example, when One Identity Safeguard for Privileged Sessions is configured to redirect the connection. The port that the client actually connected to is in the Server port field.
|
Name: |
Recording Verdict |
|
Search field: |
recording.verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the session.
Possible values:
ACCEPT: Accepted
ACCEPT_TERMINATED: Terminated by a content policy
AUTH_FAIL: Authentication failed
DENY: Connection rejected
FAIL: Connection timed out on the server
GW_AUTH_FAIL: Gateway authentication failed
KEY_ERROR: Hostkey mismatch
USER_MAPPING_FAIL: Usermapping failed
|
Name: |
Recording Window titles available |
|
Search field: |
recording.window_title_extracted |
|
Type: |
boolean |
|
Displayed: |
True |
True if window titles have been extracted from the session. The extracted window titles are in the Window title field.
|
Name: |
Server IP |
|
Search field: |
server.ip |
|
Type: |
ip |
|
Displayed: |
True |
The IP address of the server that One Identity Safeguard for Privileged Sessions connected to. This address was the remote end of the server-side connection.
|
Name: |
Server hostname |
|
Search field: |
server.name |
|
Type: |
string |
|
Displayed: |
True |
The hostname of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Server port |
|
Search field: |
server.port |
|
Type: |
port |
|
Displayed: |
True |
The port number of the server that One Identity Safeguard for Privileged Sessions connected to.
|
Name: |
Start time |
|
Search field: |
start_time |
|
Type: |
date |
|
Displayed: |
True |
Date when the session was started.
Starting with SPS 5 LTS, the timestamp is in ISO 8601 format, for example, 2018-10-11T09:23:38.000+02:00. In earlier versions, it was in UNIX timestamp format.
|
Name: |
Gateway username |
|
Search field: |
user.gateway_username |
|
Type: |
string |
|
Displayed: |
True |
The username used to authenticate on the One Identity Safeguard for Privileged Sessions gateway (that is, in the client-side connection). Sometimes it is also called client-side username.
|
Name: |
Gateway username domain |
|
Search field: |
user.gateway_username_domain |
|
Type: |
string |
|
Displayed: |
True |
The domain of the username used to authenticate on the One Identity Safeguard for Privileged Sessions gateway (that is, in the client-side connection).
|
Name: |
Username |
|
Search field: |
user.name |
|
Type: |
string |
|
Displayed: |
True |
This field contains the username, which was used by the user to authenticate to the remote server. Its value is the same as the gateway username when it is available, otherwise, it will be filled with the server username.
|
Name: |
Name domain |
|
Search field: |
user.name_domain |
|
Type: |
string |
|
Displayed: |
True |
This field contains the domain of the username, which was used by the user to authenticate to the remote server. Its value is the same as the gateway domain when it is available, otherwise, it will be filled with the server domain.
|
Name: |
Server username |
|
Search field: |
user.server_username |
|
Type: |
string |
|
Displayed: |
True |
The username used to log in to the remote server. This username can differ from the client-side username if usermapping is used in the connection.
|
Name: |
Server username domain |
|
Search field: |
user.server_username_domain |
|
Type: |
string |
|
Displayed: |
True |
The domain of the username used to log in to the remote server.
|
Name: |
Verdict |
|
Search field: |
verdict |
|
Type: |
enum |
|
Displayed: |
True |
Indicates what One Identity Safeguard for Privileged Sessions decided about the session. A session verdict that originates from log events or other external events.
Possible values:
ACCEPT: Accepted
AUTH_FAIL: Authentication failed
DENY: Connection rejected
FAIL: Connection timed out on the server
PENDING: Connection is pending
TERMINATED: Connection terminated
|
Name: |
Channel is active |
|
Search field: |
channel.active |
|
Type: |
boolean |
|
Displayed: |
False |
True if the session has not ended yet.
|
Name: |
Application |
|
Search field: |
channel.application |
|
Type: |
string |
|
Displayed: |
False |
The name of the application accessed in a seamless Citrix ICA connection.
|
Name: |
Audit stream ID |
|
Search field: |
channel.audit_stream_id |
|
Type: |
string |
|
Displayed: |
False |
The identifier of the channel's audit stream. If the session does not have an audit trail, this element is not used.
|
Name: |
Channel ID |
|
Search field: |
channel.channel_id |
|
Type: |
long |
|
Displayed: |
False |
The unique ID of the channel.
|
Name: |
Client X.509 Subject |
|
Search field: |
channel.client_x509_subject |
|
Type: |
string |
|
Displayed: |
False |
The client's certificate in TELNET or VNC sessions. Available only if the 'Client-side transport security settings > Peer certificate validation' option is enabled in One Identity Safeguard for Privileged Sessions.
|
Name: |
Executed commands |
|
Search field: |
channel.command |
|
Type: |
string |
|
Displayed: |
False |
Lists the commands executed in an SSH session.
|
Name: |
Port-forward target IP |
|
Search field: |
channel.connected.ip |
|
Type: |
ip |
|
Displayed: |
False |
The traffic was forwarded to this IP address in Remote Forward and Local Forward channels.
|
Name: |
Port-forward target name |
|
Search field: |
channel.connected.name |
|
Type: |
text |
|
Displayed: |
False |
The traffic was forwarded to this host in Remote Forward and Local Forward channels. If the hostname is not available, this field contains the IP address of the host
|
Name: |
Port-forward target port |
|
Search field: |
channel.connected.port |
|
Type: |
port |
|
Displayed: |
False |
The traffic was forwarded to this port in Remote Forward and Local Forward channels.
|
Name: |
Device name |
|
Search field: |
channel.device_name |
|
Type: |
string |
|
Displayed: |
False |
The name or ID of the shared device (redirect) used in the RDP connection.
|
Name: |
Channel duration |
|
Search field: |
channel.duration |
|
Type: |
long |
|
Displayed: |
False |
The length of the channel (how long the channel lasted).
|
Name: |
Dynamic channel |
|
Search field: |
channel.dynamic_channel |
|
Type: |
string |
|
Displayed: |
False |
The name or ID of the dynamic channel opened in the RDP session.
Used with the dynamic virtual RDP channel type.
|
Name: |
Channel end time |
|
Search field: |
channel.end_time |
|
Type: |
date |
|
Displayed: |
False |
Date when the channel was closed.
|
Name: |
Environment |
|
Search field: |
channel.environment |
|
Type: |
string |
|
Displayed: |
False |
Date when the channel was closed.
|
Name: |
Four-eyes authorizer |
|
Search field: |
channel.four_eyes_authorizer |
|
Type: |
string |
|
Displayed: |
False |
The username of the user who authorized the session. Available only if four-eyes authorization is required for the channel.
|
Name: |
Four-eyes description |
|
Search field: |
channel.four_eyes_description |
|
Type: |
string |
|
Displayed: |
False |
The description submitted by the authorizer of the session.
|
Name: |
Channel originator IP address |
|
Search field: |
channel.originator.ip |
|
Type: |
ip |
|
Displayed: |
False |
The IP address of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection.
|
Name: |
Channel originator name |
|
Search field: |
channel.originator.name |
|
Type: |
text |
|
Displayed: |
False |
The hostname of the host initiating the channel in Remote Forward and Local Forward channels. Note that this host is not necessarily the client or the server of the SSH connection. If the hostname is not available, this field contains the IP address of the host.
|
Name: |
Originator port |
|
Search field: |
channel.originator.port |
|
Type: |
port |
|
Displayed: |
False |
The number of the forwarded port in Remote Forward and Local Forward SSH channels.
|
Name: |
Rule number |
|
Search field: |
channel.rule_num |
|
Type: |
string |
|
Displayed: |
False |
The number of the line in the Channel policy applied to the channel.
|
Name: |
SCP path |
|
Search field: |
channel.scp_path |
|
Type: |
string |
|
Displayed: |
False |
Name and path of the file copied via SCP. Available only for SCP sessions (Session exec SCP SSH channels) if the Log file transfers to database option isenabled in the Channel Policy of the connection.
|
Name: |
Channel start time |
|
Search field: |
channel.start_time |
|
Type: |
date |
|
Displayed: |
False |
Date when the channel was started.
|
Name: |
Subsystem name |
|
Search field: |
channel.subsystem_name |
|
Type: |
string |
|
Displayed: |
False |
Name of the SSH subsystem used in the channel.
|
Name: |
Channel type |
|
Search field: |
channel.type |
|
Type: |
enum |
|
Displayed: |
False |
Type of the channel.
Possible values:
#drawing: Drawing
CTXCAM: Audio
CTXCDM: Drive
CTXCLIP: Clipboard
CTXCOM1: Printer (COM1)
CTXCOM2: Printer (COM2)
CTXCPM: Printer Spooler
CTXFLSH: HDX Mediastream
CTXLPT1: Printer (LPT1)
CTXLPT2: Printer (LPT2)
CTXSCRD: Smartcard
CTXTW: Drawing (Thinwire)
CTXTWI: Seamless
CTXUSB: USB
SPDBRS: Speedbrowse
auth-agent: Agent
cliprdr: Clipboard
custom: Custom
direct-tcpip: Local forward
drawing: Drawing
drdynvc: Dynamic virtual channel
forwarded-tcpip: Remote forward
http: HTTP
rdpdr: Redirects
rdpdr-disk: Disk redirect
rdpdr-parallel: Parallel redirect
rdpdr-printer: Printer redirect
rdpdr-scard: SCard redirect
rdpdr-serial: Serial redirect
rdpsnd: Sound
seamrdp: Seamless
session-exec: Session exec
session-exec-scp: Session exec SCP
session-shell: Session shell
session-subsystem: Session subsystem
session-subsystem-sftp: Session SFTP
telnet: Telnet
vnc: VNC
websocket: WebSocket
x11: X11 forward
|
Name: |
Channel verdict |
|
Search field: |
channel.verdict |
|
Type: |
enum |
|
Displayed: |
False |
Indicates what One Identity Safeguard for Privileged Sessions decided about the channel.
Possible values:
ACCEPT: Accepted
DENY: Denied
FOUR_EYES_DEFERRED: Waiting for remote username
FOUR_EYES_ERROR: Internal error during four-eyes authorization
FOUR_EYES_REJECT: Four-eyes authorization rejected
FOUR_EYES_TIMEOUT: Four-eyes authorization timed out
|
Name: |
Event Action |
|
Search field: |
event.action |
|
Type: |
string |
|
Displayed: |
False |
The command line without prompt in commands
|
Name: |
Channel ID |
|
Search field: |
event.channel_id |
|
Type: |
string |
|
Displayed: |
False |
The id of the channel the event belongs to.
|
Name: |
Event content |
|
Search field: |
event.content |
|
Type: |
string |
|
Displayed: |
False |
The command executed, or the window title detected in the channel (for example, ls, exit, or Firefox).
|
Name: |
Protocol details |
|
Search field: |
event.details |
|
Type: |
string |
|
Displayed: |
False |
The details of the protocol used for the operation.
|
Name: |
Event ID |
|
Search field: |
event.event_id |
|
Type: |
string |
|
Displayed: |
False |
The identifier of the vault event.
|
Name: |
Operation |
|
Search field: |
event.operation |
|
Type: |
string |
|
Displayed: |
False |
The type of the operation that occurred, for example, Create file (in the case of FTP) or GET (in the case of HTTP).
|
Name: |
Path |
|
Search field: |
event.path |
|
Type: |
string |
|
Displayed: |
False |
The path (if any) used by the operation that occurred.
|
Name: |
Event ID |
|
Search field: |
event.record_id |
|
Type: |
long |
|
Displayed: |
False |
The identifier of the event within the audit trail (.zat file).
|
Name: |
Response code |
|
Search field: |
event.response_code |
|
Type: |
long |
|
Displayed: |
False |
The status code of the protocol response (if any) returned.
|
Name: |
Event date |
|
Search field: |
event.time |
|
Type: |
date |
|
Displayed: |
False |
The date when the event happened.
|
Name: |
Event type |
|
Search field: |
event.type |
|
Type: |
string |
|
Displayed: |
False |
The type of the event, for example, command, screen_content, window_title.
|
Name: |
Alert type |
|
Search field: |
alert.alert_type |
|
Type: |
enum |
|
Displayed: |
False |
The type of the alert.
Possible values:
adp.event.command: A command entered in SSH or Telnet.
adp.event.screen.content: Alert triggered by the screen content.
adp.event.screen.creditcard: Credit card numbers detected. Displayed only as an alert, not visible in the events.
adp.event.screen.windowtitle: The title of the window in graphic protocols.
|
Name: |
Channel ID |
|
Search field: |
alert.channel_id |
|
Type: |
string |
|
Displayed: |
False |
The id of the channel the alert belongs to.
|
Name: |
Matched regexp on action |
|
Search field: |
alert.matched_action |
|
Type: |
string |
|
Displayed: |
False |
The regular expression that matched the command line without prompt
|
Name: |
Matched content |
|
Search field: |
alert.matched_content |
|
Type: |
string |
|
Displayed: |
False |
The content the alert matched.
|
Name: |
Matched regexp |
|
Search field: |
alert.matched_regexp |
|
Type: |
string |
|
Displayed: |
False |
The regular expression that matched the content.
|
Name: |
Alert ID |
|
Search field: |
alert.record_id |
|
Type: |
long |
|
Displayed: |
False |
The identifier of the alert within the audit trail (.zat file).
|
Name: |
Rule name |
|
Search field: |
alert.rule_name |
|
Type: |
string |
|
Displayed: |
False |
The name of the content policy rule.
|
Name: |
Alert time |
|
Search field: |
alert.time |
|
Type: |
date |
|
Displayed: |
False |
The timestamp of the alert.
|
Name: |
From API |
|
Search field: |
trail_download.from_api |
|
Type: |
boolean |
|
Displayed: |
False |
The audit trail downloaded via API or not.
|
Name: |
Trail download ID |
|
Search field: |
trail_download.id |
|
Type: |
string |
|
Displayed: |
False |
The ID of an audit trail download event.
|
Name: |
Download ip |
|
Search field: |
trail_download.ip_address |
|
Type: |
ip |
|
Displayed: |
False |
The ip address from where the download is requested.
|
Name: |
Download time |
|
Search field: |
trail_download.time |
|
Type: |
date |
|
Displayed: |
False |
The exact time when the user downloaded the audit trail file.
|
Name: |
Downloader username |
|
Search field: |
trail_download.username |
|
Type: |
string |
|
Displayed: |
False |
The name of user who downloaded the audit trail of the session.
|
Name: |
Commands indexed |
|
Search field: |
indexer_info.config.command.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if commands were extracted while indexing the session.
|
Name: |
Keyboard buffering interval |
|
Search field: |
indexer_info.config.keyboard.buffer_interval |
|
Type: |
double |
|
Displayed: |
False |
The buffering interval in milliseconds used when extracting keyboard events while indexing the session.
|
Name: |
Keyboard extracted |
|
Search field: |
indexer_info.config.keyboard.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if keyboard events were extracted while indexing the session.
|
Name: |
Mouse buffering interval |
|
Search field: |
indexer_info.config.mouse.buffer_interval |
|
Type: |
double |
|
Displayed: |
False |
The buffering interval in milliseconds used when extracting mouse events while indexing the session.
|
Name: |
Mouse extracted |
|
Search field: |
indexer_info.config.mouse.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if mouse events were extracted while indexing the session.
|
Name: |
Near real-time indexing |
|
Search field: |
indexer_info.config.near_realtime |
|
Type: |
boolean |
|
Displayed: |
False |
True if indexing this session was done near real-time (when the session was still active).
|
Name: |
OCR languages |
|
Search field: |
indexer_info.config.ocr_languages |
|
Type: |
string |
|
Displayed: |
False |
The language configuration for optical character recognition used when indexing the session.
|
Name: |
Screen content indexed |
|
Search field: |
indexer_info.config.screen.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if screen content was extracted while indexing the session.
|
Name: |
OCR tradeoff |
|
Search field: |
indexer_info.config.screen.omnipage_trade_off |
|
Type: |
string |
|
Displayed: |
False |
The tradeoff used for optical character recognition when extracting screen content while indexing the session.
|
Name: |
Titles indexed |
|
Search field: |
indexer_info.config.title.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if window titles were extracted while indexing the session.
|
Name: |
Indexing error |
|
Search field: |
indexer_info.error.message |
|
Type: |
string |
|
Displayed: |
False |
The reason why indexing failed
|
Name: |
Indexing cpu time |
|
Search field: |
indexer_info.statistics.cpu_time |
|
Type: |
long |
|
Displayed: |
False |
The CPU time that indexing this session took in milliseconds.
|
Name: |
Indexing duration |
|
Search field: |
indexer_info.statistics.duration |
|
Type: |
long |
|
Displayed: |
False |
The duration of time that indexing this session took in milliseconds.
|
Name: |
Indexing start time |
|
Search field: |
indexer_info.statistics.start_time |
|
Type: |
date |
|
Displayed: |
False |
The time and date when indexing this session started.
|
Name: |
Indexing status |
|
Search field: |
indexer_info.status |
|
Type: |
string |
|
Displayed: |
False |
Shows if the channel has been indexed successfully or not.
|
Name: |
Indexer ADP version |
|
Search field: |
indexer_info.version.adp |
|
Type: |
string |
|
Displayed: |
False |
The version of the audit data processor used for indexing the session
|
Name: |
Indexer version |
|
Search field: |
indexer_info.version.worker |
|
Type: |
string |
|
Displayed: |
False |
The version of the indexer worker used for indexing the session
|
Name: |
ZAC created |
|
Search field: |
indexer_info.config.zac.enabled |
|
Type: |
boolean |
|
Displayed: |
False |
True if an Audit Content file was created while indexing the session.
|
Name: |
Screen content |
|
Search field: |
screen.content |
|
Type: |
string |
|
Displayed: |
False |
Text that appeared on the screen in the session.
|
Name: |
Channel id in trail |
|
Search field: |
screen.channel_id_in_trail |
|
Type: |
long |
|
Displayed: |
False |
The ID of the channel where this content appeared. To check the channel ID (channel_id), select a session and click details. Navigate to details > Channels and click the channel type.
|
Name: |
From API |
|
Search field: |
from_api |
|
Type: |
boolean |
|
Displayed: |
True |
The audit trail downloaded via API or not.
|
Name: |
Trail download ID |
|
Search field: |
id |
|
Type: |
string |
|
Displayed: |
True |
The ID of an audit trail download event.
|
Name: |
Download ip |
|
Search field: |
ip_address |
|
Type: |
ip |
|
Displayed: |
True |
The ip address from where the download is requested.
NOTE: This feature is available only if auditing and content indexing was requested for the connection.
For more information, see Configuring the internal indexer.
You can search in the contents of the audit trails as follows:
From your browser: Use this method to find all the sessions containing your search query.
Enter the screen.content: expression search query in the Search query field. For example: screen.content="exit". The search returns all the sessions where exit was on the screen.
From the Safeguard Desktop Player application: Use this method to find the exact location of the search query within a specific audit trail.
Download the relevant audit trail, open it in the Safeguard Desktop Player application, and use the Search feature. You can also search in the contents of the audit trails for trails of graphical sessions created and indexed with One Identity Safeguard for Privileged Sessions (SPS) 6.0.
There are various ways you can refine your content query, you can:
use wildcards
use boolean expressions
search in the commands of terminal connections (for example, command:"sudo su")
search in the window titles of graphical connections (for example, title:settings)
The following sections provide examples for different search queries.
For examples of exact matches, see Searching for exact matches.
For examples of using boolean operators to combine search keywords, see Combining search keywords.
For examples of wildcard searches, see Using wildcard searches.
For examples of searching with special characters, see Searching for special characters.
For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.
For examples of proximity search to find words that appear within a special distance, see Proximity search.
For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.
For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
| Search expression | example |
| Matches | example |
| Does not match |
examples example.com query-by-example exam |
To search for an exact phrase, enclose the search keywords in double quotes.
| Search expression | "example command" |
| Matches | example command |
| Does not match |
example command example: command |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression | C\:\\Windows |
| Matches |
C:\Windows |
You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,
| Search expression | keyword1 AND keyword2 |
| Matches | (returns hits that contain both keywords) |
| Search expression | keyword1 OR keyword2 |
| Matches | (returns hits that contain at least one of the keywords) |
| Search expression | "keyword1 keyword2" NOT "keyword2 keyword3" |
| Matches | (returns hits that contain the first phrase, but not the second) |
| Search expression | +keyword1 keyword2 |
| Matches | (returns hits that contain keyword1, and may contain keyword2) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".
Use parentheses to create more complex search expressions:
| Search expression | (keyword1 OR keyword2) AND keyword3 |
| Matches | (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3) |
You can use the ? and * wildcards in your search expressions.
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
You cannot use a * or ? symbol as the first character of a search.
| Search expression | example? |
| Matches |
example1 examples example? |
| Does not match |
example.com example12 query-by-example |
| Search expression | example?? |
| Matches |
example12 |
| Does not match |
example.com example1 query-by-example |
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.
| Search expression | example* |
| Matches |
example examples example.com |
| Does not match |
query-by-example example* |
Wildcard characters can be combined.
| Search expression | ex?mple* |
| Matches |
example1 examples example.com exemple.com example12 |
| Does not match |
exmples query-by-example |
To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
To search for a special character, use a backslash (\).
| Search expression | example\? |
| Matches |
example? |
| Does not match |
examples example1 |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression | C\:\\Windows |
| Matches |
C:\Windows |
To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).
| Search expression | \/var\/log\/messages |
| Matches |
/var/log/messages |
| Search expression | \(1\+1\)\:2 |
| Matches |
(1+1):2 |
For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].
You can also combine these search queries with other expressions and wildcards, for example, title:properties AND gateway.
| Search expression | command:"sudo su" |
| Matches |
sudo su as a terminal command |
| Does not match | sudo su in general screen content |
| Search expression | title:settings |
| Matches |
settings appearing in the title of an active window |
| Does not match | settings in general screen content |
To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.
| Search expression | properties AND NOT title:[* TO *] |
| Matches |
properties appearing in the screen content, but not as a window title. |
| Does not match | properties in window titles. |
You can also combine these search filters with other expressions and wildcards.
| Search expression | title:properties AND gateway |
| Matches |
A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title). |
| Does not match |
Screens where both properties and gateway appear, but properties is not in the window title. |
Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.
| Search expression | roam~ |
| Matches |
roams foam |
Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.
| Search expression | "keyword1 keyword2"~10 |
| Matches | (returns hits that contain keyword1 and keyword2 within 10 words from each other) |
By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.
| Search expression | keyword1^4 keyword2 |
| Matches | (returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant) |
| Search expression | "keyword1 keyword2"^5 "keyword3 keyword4" |
| Matches | (returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5-times more relevant) |
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
