Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.14 - Safeguard Desktop Player User Guide

Summary of changes Features and limitations First steps Validate audit trails Replay audit trails Replay encrypted audit trails Replay encrypted audit trails from the command line Replay audit files in follow mode Search in the content of the current audit file Search query examples Export the audit trail as video Exporting the sound from an audit trail Sharing an encrypted audit trail Replay X11 sessions Export transferred files from SCP, SFTP, HTTP, and RDP audit trails Export raw network traffic in PCAP format Export screen content text Troubleshooting the Safeguard Desktop Player Install Safeguard Desktop Player Keyboard shortcuts

Search query examples

The following sections provide examples for different search queries.

For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.

Searching for exact matches

By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Example: Searching for exact matches
Search expression example
Matches example
Does not match

examples

example.com

query-by-example

exam

To search for an exact phrase, enclose the search keywords in double quotes.

Search expression "example command"
Matches example command
Does not match

example

command

example: command

To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).

Search expression C\:\\Windows
Matches

C:\Windows

Combining search keywords

You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,

Example: Combining keywords in search
Search expression keyword1 AND keyword2
Matches (returns hits that contain both keywords)
Search expression keyword1 OR keyword2
Matches (returns hits that contain at least one of the keywords)
Search expression "keyword1 keyword2" NOT "keyword2 keyword3"
Matches (returns hits that contain the first phrase, but not the second)
Search expression +keyword1 keyword2
Matches (returns hits that contain keyword1, and may contain keyword2)

To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".

Example: Using parentheses in search

Use parentheses to create more complex search expressions:

Search expression (keyword1 OR keyword2) AND keyword3
Matches (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3)
Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Example: Using wildcard ? in search

The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.

You cannot use a * or ? symbol as the first character of a search.

Search expression example?
Matches

example1

examples

example?

Does not match

example.com

example12

query-by-example

Search expression example??
Matches

example12

Does not match

example.com

example1

query-by-example

Example: Using wildcard * in search

The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.

Search expression example*
Matches

example

examples

example.com

Does not match

query-by-example

example*

Example: Using combined wildcards in search

Wildcard characters can be combined.

Search expression ex?mple*
Matches

example1

examples

example.com

exemple.com

example12

Does not match

exmples

query-by-example

Searching for special characters

To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /

Example: Searching for special characters

To search for a special character, use a backslash (\).

Search expression example\?
Matches

example?

Does not match

examples

example1

To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).

Search expression C\:\\Windows
Matches

C:\Windows

To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).

Search expression \/var\/log\/messages
Matches

/var/log/messages

Search expression \(1\+1\)\:2
Matches

(1+1):2

Searching in commands and window titles

For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].

You can also combine these search queries with other expressions and wildcards, for example, title:properties AND gateway.

Example: Searching in commands and window titles
Search expression command:"sudo su"
Matches

sudo su as a terminal command

Does not match sudo su in general screen content
Search expression title:settings
Matches

settings appearing in the title of an active window

Does not match settings in general screen content

To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.

Search expression properties AND NOT title:[* TO *]
Matches

properties appearing in the screen content, but not as a window title.

Does not match properties in window titles.

You can also combine these search filters with other expressions and wildcards.

Search expression title:properties AND gateway
Matches

A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title).

Does not match

Screens where both properties and gateway appear, but properties is not in the window title.

Searching for fuzzy matches

Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.

Example: Searching for fuzzy matches
Search expression roam~
Matches

roams

foam

Proximity search

Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.

Example: Proximity search
Search expression "keyword1 keyword2"~10
Matches (returns hits that contain keyword1 and keyword2 within 10 words from each other)
Adjusting the relevance of search terms

By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.

Example: Adjusting the relevance of search terms
Search expression keyword1^4 keyword2
Matches (returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant)
Search expression "keyword1 keyword2"^5 "keyword3 keyword4"
Matches (returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5-times more relevant)

Export the audit trail as video

The following describes how to export an audit trail as a video file (optionally including the accompanying subtitles). Note that you must open the audit trail in order to export it.

Prerequisites:

The exported files use the WEBM format with the VP8 codec. You can replay WebM videos in most modern browsers, and several media player applications. For details, see the Playing WebM Video page. Note that for Internet Explorer, you must install an add-on.

To export an audit trail as a video file

  1. Open the audit trail in the Safeguard Desktop Player application.

    If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replay encrypted audit trails.

  2. Click EXPORT > Export video.

  3. If the audit trail contains multiple channels that can be replayed, select which channels you want to export.

  4. To export the subtitles listing the user events that occurred in the session (window titles that appeared on the screen, commands executed, mouse activity, and keystrokes), select the Subtitle checkbox.

  5. Click , and select the directory where you want to save the video file.

  6. Click EXPORT.

Exporting the sound from an audit trail

You can enable auditing the sound that is transferred between an RDP client and the server. Using the Export audio option of Safeguard Desktop Player, you can export the input sound (the one that comes from the audited user) and the output sound (the one that is received by the audited user) into .wav files.

Prerequisites:

In SPS, using the Channel Policies settings of the RDP Control option, select the Record audit trail checkbox for the Sound and the Dynamic virtual channel in the policy that you want to use for sound auditing.

For more information, see Configuring SPS to enable exporting sound from audit trails in the SPS Administration Guide.

To export the sound from an audit trail

  1. Open the audit trail in the Safeguard Desktop Player application.

    If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replay encrypted audit trails.

  2. Click EXPORT > Export audio....

  3. In the Select folder window, navigate to the folder where you want to save the exported sound files of the audit trail.

The displayed dialog shows the exported files with their paths. On clicking the paths, the destination folders open. The dialog also lists the errors that occurred during the export. The sound files are saved in the following format:

  • <timestamp>_input.wav

  • <timestamp>_output.wav

Sharing an encrypted audit trail

The following describes how to share an encrypted audit trail with a third party. Note that you must open the audit trail in order to export it.

  • Export the audit trail as a video file

  • If you want the third party to be able to replay the audit trail with the Safeguard Desktop Player, complete the following steps. Currently you can do this only using the command line.

Prerequisites:

This procedure involves encrypting the audit trail with an encryption key that you can share with the third party. Encrypting audit trails requires an X.509 certificate in PEM format that uses an RSA key.

You will also need the audit trail file that you want to share, and the encryption key(s) required to replay it. You cannot use this procedure to encrypt an audit trail that is not already encrypted.

NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.

TIP: One Identity recommends using 2048-bit RSA keys (or stronger).

To share an encrypted audit trail with a third party

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

  1. Specify the audit trail to process, its decryption key, the new audit trail file, and the new encryption key.

    Windows: adp.exe --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>

    Linux or MacOS: ./adp --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>

    If the audit trail is encrypted with multiple keys, repeat the --key <keyfile.pem:passphrase> option. Include the colon (:) character even if the key is not password-protected. For example:

    ./adp --task rekey --file /tmp/ssh-171128T1353-frobert-frobert-10.30.255.68.zat --key /tmp/indexer-certificate-key.pem: --out /tmp/shared-ssh.zat --new-cert /tmp/new-encryption-certificate.pem
  2. Open the output file in the Safeguard Desktop Player and import the private key of the certificate you used to re-encrypt the audit trail. Verify that you can replay the audit trail. If it is working as expected, you can share the re-encrypted audit trail file and the private key with third parties, they will be able to replay the audit trail using the SPS application.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating