Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.0.1 - Safeguard Desktop Player User Guide

Export transferred files from SCP, SFTP, and HTTP audit trail using the command line

The following describes how to export the files that the user transferred in an SCP, SFTP, or HTTP session using the command line.

To export the files that the user transferred in an SCP, SFTP, or HTTP session using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

  1. List the channels in the audit trail, and find the one you want to extract files from. Note down the ID number of this channel as it will be required later on (it is 3 in the following example).

    Windows: adp.exe --task channel-info --file <path/to/audit-trail.zat>

    Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected. Example output:

    Channel information : ssh-session-exec-scp:3
  2. Export the files from the audit trail. Use the ID number of the channel from the previous step.

    Windows: adp.exe --task channel-info --file <path\to\audit-trail.zat> --export-files <folder\to\save\files\>

    Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat> --export-files <folder/to/save/files/>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected.

  3. Check the output directory for the exported files.

Export raw network traffic in PCAP format

You can choose to "convert" audit trails to packet capture (PCAP) format, which is a common file format for storing network traffic.

Export raw network traffic in PCAP format using the command line

The following describes how to export raw network traffic in PCAP format using the command line.

To export raw network traffic in PCAP format using the command line

Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.

  1. List the channels in the audit trail, and find the one(s) you want to export. Note down the ID number of the channel(s) as it will be required later on (it is 3 in the following example).

    Windows: adp.exe --task channel-info --file <path/to/audit-trail.zat>

    Linux or MacOS: ./adp --task channel-info --file <path/to/audit-trail.zat>

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected. Example output:

    Channel information : ssh-session-exec-scp:3
  2. Export the channel(s) from the audit trail. Use the ID number(s) of the channel(s) from the previous step.

    Windows: adp.exe -f <path/to/audit-trail.zat> -c <channel id> -t indexer --export-pcap output.pcap

    Linux or MacOS: adp -f <path/to/audit-trail.zat> -c <channel id> -t indexer --export-pcap output.pcap

    If the audit trail is encrypted, use the --key <keyfile.pem:passphrase> option. Repeat the option if the audit trail is encrypted with multiple keys. Include the colon (:) character even if the key is not password-protected.

  3. Check the output directory for the exported files.

Export raw network traffic in PCAP format using the GUI

The following describes how to export the channels stored in the audit trail using the GUI.

To export the channels stored in the audit trail using the GUI

  1. Open the audit trail in the Safeguard Desktop Player application.

    If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replay encrypted audit trails.

  2. Click EXPORT > Export pcap.

    A Select folder dialog box pops up.

  3. Select the directory where you want to save the file(s). Click Choose.

    Once the export process has completed, a FILES dialog box pops up, indicating the number of files exported in brackets and listing the files that have been exported.

    Files have a number in their names, used for identifying the channels.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating