Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 5.9.0 - Administration Guide

Preface Introduction The concepts of SPS The Welcome Wizard and the first login Basic settings User management and access control Managing SPS
Controlling SPS: reboot, shutdown Managing Safeguard for Privileged Sessions clusters Managing a high availability SPS cluster Upgrading SPS Managing the SPS license Accessing the SPS console Sealed mode Out-of-band management of SPS Managing the certificates used on SPS
General connection settings HTTP-specific settings ICA-specific settings RDP-specific settings SSH-specific settings Telnet-specific settings VMware Horizon View connections VNC-specific settings Indexing audit trails Using the Search (classic) interface Using the Search interface Searching session data on a central node in a cluster Advanced authentication and authorization techniques Reports The SPS RPC API The SPS REST API SPS scenarios Troubleshooting SPS Configuring external devices Using SCP with agent-forwarding Security checklist for configuring SPS Jumplists for in-product help Third-party contributions About us

Creating report subchapters from search queries

NOTE:

Creating report subchapters from search queries is currently an experimental feature of Safeguard for Privileged Sessions, therefore One Identity recommends that only administrators use this feature and only at their own risk.

You can turn any search query or statistics into a subchapter to add to your reports. This is an easy and flexible way of creating reports to monitor traffic, track certain parameters, or get alerted about particular events. The Search interface allows you to:

Creating search-based report subchapters from search results

NOTE:

Creating report subchapters from search queries is currently an experimental feature of Safeguard for Privileged Sessions, therefore One Identity recommends that only administrators use this feature and only at their own risk.

Purpose:

To create a search-based report subchapter from search results, complete the following steps.

Steps:
  1. Navigate to Search > Search, and perform a query of your choice.
  2. Click Search. Search results are displayed.
  3. Click . The Create reporting subchapter page is displayed, with the query field populated with your query.

  4. In the name field, add a name to your report.
  5. In Report type, select the type that fits your query. You can choose from the following types:
    • Sessions list: Displays a list of sessions.

      Set the number of sessions to show in the report as required.

    • Statistics: Visualizes the distribution of sessions based on the selected metadata.

      Select a Statistic presentation for your report, such as Pie chart, List, Bar chart. Select the field (the metadata) to create your statistics on.

    • Timeline: Visualizes the distribution of sessions within a day/week/month, depending on the time range chosen for the report under Reporting > Configuration > Generate this report every > Day/Week/Month.
  6. Click Save.
  7. Click . Alternatively, navigate to Reporting > Configuration.
  8. Configure a custom report from scratch, or add the subchapter to an existing report. For details, see Configuring custom reports.

    When adding the subchapter you created, look for it under Search-based subchapters.

Creating search-based report subchapters from scratch

NOTE:

Creating report subchapters from search queries is currently an experimental feature of Safeguard for Privileged Sessions, therefore One Identity recommends that only administrators use this feature and only at their own risk.

Purpose:

To create a search-based report subchapter from scratch, complete the following steps.

Steps:
  1. Navigate to Search > Search.
  2. Click Reporting.
  3. Click . The Create reporting subchapter page is displayed.

  4. In the name field, add a name to your report.
  5. In the query field, type the query that you want to create a report from.
  6. In Report type, select the type that fits your query. You can choose from the following types:
    • Sessions list: Displays a list of sessions.

      Set the number of sessions to show in the report as required.

    • Statistics: Visualizes the distribution of sessions based on the selected metadata.

      Select a Statistic presentation for your report, such as Pie chart, List, Bar chart. Select the field (the metadata) to create your statistics on.

    • Timeline: Visualizes the distribution of sessions within a day/week/month, depending on the time range chosen for the report under Reporting > Configuration > Generate this report every > Day/Week/Month.
  7. Click Save.
  8. Click . Alternatively, navigate to Reporting > Configuration.
  9. Configure a custom report from scratch, or add the subchapter to an existing report. For details, see Configuring custom reports.

    When adding the subchapter you created, look for it under Search-based subchapters.

Searching session data on a central node in a cluster

NOTE:

Central search is currently an experimental feature of Safeguard for Privileged Sessions.

The central search functionality is available when your deployment consists of two or more instances of Safeguard for Privileged Sessions organized into a cluster. When you have a cluster of nodes set up, you have the possibility to search all session data recorded by all nodes in the cluster on a single node. This is achieved by assigning roles to the individual nodes in your cluster: you can set up one of your Safeguard for Privileged Sessions nodes to be the Search Master and the rest of the nodes to be Search Minions. Search Minions send session data that they record to the Search Master, and the Search Master acts as a central search node.

To set up your environment for central searching, complete the following steps:

  1. Enable cluster management on the nodes that you want to be part of your cluster.
  2. Build a cluster.
  3. Assign roles to nodes in your cluster.

    Familiarize yourself with the available search roles before assigning them to nodes. For details, see Cluster roles.

Once you have your cluster set up and the appropriate roles assigned, you can start searching session data using the Search interface.

NOTE:

Central search is not available on the Search (classic) interface.

Limitations of the central search functionality

Currently, the central search functionality comes with a number of limitations:

  • It is not possible to assign the Search privilege to a user in a way that they can only access audit trails for connections for which they have been granted permission. Assigning the Search privilege to a user on the AAA > Access Control page automatically enables the Search in all connections privilege, and grants the user access to every audit trail, even if the user is not a member of the groups listed in the Access Control option of the particular connection policy.
  • Session data recorded by a node before it was joined to the cluster will not be searchable centrally. Only session data recorded after the node has been joined to the cluster is available for central search.
  • Content search is not available, that is, it is not possible to search in the contents of audit trails, only in session metadata.
  • User behavior analysis provided by One Identity Safeguard for Privileged Analytics is not available.
  • It is not possible to replay audit trail files in your browser from the Search Master node.
  • When near real-time indexing is configured on a Search Minion node, while session data from active connections is visible on the Search interface of the Search Master node, it is not possible to:
    • export the audit trail of an active connection,
    • follow an active connection, and
    • terminate an active connection.

    Note, however, that you can terminate the active, ongoing connection on the Search Minion node that is recording the connection in question.

  • A reliable, high-bandwidth connection is required between the nodes. Small loss of connection is handled well but if the connection between the Search Minions and the Search Master is lost for a longer period of time, the Search Minions will stop accepting new connections until the connection is repaired. Data is automatically pushed to the Search Master after the connection is repaired.

NOTE:

Search Minion nodes do not send the files storing the audit trails to the Search Master node. When a user clicks , the Search Master node streams the trail files to the user from the original Search Minion node that recorded the sessions. If a Search Minion node does not have a backup policy set up and an error occurs that causes data loss, then session data recorded by that node will not be available.

Related Documents