Search query examples
The following sections provide examples for different search queries.
-
For examples of exact matches, see Searching for exact matches.
-
For examples of using boolean operators to combine search keywords, see Combining search keywords.
-
For examples of wildcard searches, see Using wildcard searches.
-
For examples of searching with special characters, see Searching for special characters.
-
For examples of fuzzy search that finds words with similar spelling, see Searching for fuzzy matches.
-
For examples of proximity search to find words that appear within a special distance, see Proximity search.
-
For examples of adjusting the relevance of a search term, see Adjusting the relevance of search terms.
For details on how to use more complex keyphrases that are not covered in this guide, see the Apache Lucene documentation.
Searching for exact matches
By default, One Identity Safeguard for Privileged Sessions (SPS) searches for keywords as whole words and returns only exact matches. Note that if your search keywords include special characters, you must escape them with a backslash (\) character. For details on special characters, see Searching for special characters. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
Example: Searching for exact matches
| Search expression | example |
| Matches | example |
| Does not match |
examples example.com query-by-example exam |
To search for an exact phrase, enclose the search keywords in double quotes.
| Search expression | "example command" |
| Matches | example command |
| Does not match |
example command example: command |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression | C\:\\Windows |
| Matches |
C:\Windows |
Combining search keywords
You can use boolean operators – AND, OR, NOT, and + (required), – to combine search keywords. More complex search expressions can also be constructed with parentheses. If you enter multiple keywords,
Example: Combining keywords in search
| Search expression | keyword1 AND keyword2 |
| Matches | (returns hits that contain both keywords) |
| Search expression | keyword1 OR keyword2 |
| Matches | (returns hits that contain at least one of the keywords) |
| Search expression | "keyword1 keyword2" NOT "keyword2 keyword3" |
| Matches | (returns hits that contain the first phrase, but not the second) |
| Search expression | +keyword1 keyword2 |
| Matches | (returns hits that contain keyword1, and may contain keyword2) |
To search for expressions that can be interpreted as boolean operators (for example: AND), use the following format: "AND".
Example: Using parentheses in search
Use parentheses to create more complex search expressions:
| Search expression | (keyword1 OR keyword2) AND keyword3 |
| Matches | (returns hits that contain either keyword1 and keyword3, or keyword2 and keyword3) |
Using wildcard searches
You can use the ? and * wildcards in your search expressions.
Example: Using wildcard ? in search
The ? (question mark) wildcard means exactly one arbitrary character. Note that it does not work for finding non-UTF-8 or multibyte characters. If you want to search for these characters, the expression ?? might work, or you can use the * wildcard instead.
You cannot use a * or ? symbol as the first character of a search.
| Search expression | example? |
| Matches |
example1 examples example? |
| Does not match |
example.com example12 query-by-example |
| Search expression | example?? |
| Matches |
example12 |
| Does not match |
example.com example1 query-by-example |
Example: Using wildcard * in search
The * wildcard means 0 or more arbitrary characters. It finds non-UTF-8 and multibyte characters as well.
| Search expression | example* |
| Matches |
example examples example.com |
| Does not match |
query-by-example example* |
Example: Using combined wildcards in search
Wildcard characters can be combined.
| Search expression | ex?mple* |
| Matches |
example1 examples example.com exemple.com example12 |
| Does not match |
exmples query-by-example |
Searching for special characters
To search for the special characters, for example, question mark (?), asterisk (*), backslash (\) or whitespace ( ) characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as character to be searched for. The following characters are special characters: + - & | ! ( ) { } [ ] ^ " ~ * ? : \ /
Example: Searching for special characters
To search for a special character, use a backslash (\).
| Search expression | example\? |
| Matches |
example? |
| Does not match |
examples example1 |
To search for a string that includes a backslash characters, for example, a Windows path, use two backslashes (\\).
| Search expression | C\:\\Windows |
| Matches |
C:\Windows |
To search for a string that includes a slash character, for example, a UNIX path, you must escape the every slash with a backslash (\/).
| Search expression | \/var\/log\/messages |
| Matches |
/var/log/messages |
| Search expression | \(1\+1\)\:2 |
| Matches |
(1+1):2 |
Searching in commands and window titles
For terminal connections, use the command: prefix to search only in the commands (excluding screen content). For graphical connections, use the title: prefix to search only in the window titles (excluding screen content). To exclude search results that are commands or window titles, use the following format: keyword AND NOT title:[* TO *].
You can also combine these search queries with other expressions and wildcards, for example, title:properties AND gateway.
Example: Searching in commands and window titles
| Search expression | command:"sudo su" |
| Matches |
sudo su as a terminal command |
| Does not match | sudo su in general screen content |
| Search expression | title:settings |
| Matches |
settings appearing in the title of an active window |
| Does not match | settings in general screen content |
To find an expression in the screen content and exclude search results from the commands or window titles, see the following example.
| Search expression | properties AND NOT title:[* TO *] |
| Matches |
properties appearing in the screen content, but not as a window title. |
| Does not match | properties in window titles. |
You can also combine these search filters with other expressions and wildcards.
| Search expression | title:properties AND gateway |
| Matches |
A screen where properties appears in the window title, and gateway in the screen content (or as part of the window title). |
| Does not match |
Screens where both properties and gateway appear, but properties is not in the window title. |
Searching for fuzzy matches
Fuzzy search uses the tilde ~ symbol at the end of a single keyword to find hits that contain words with similar spelling to the keyword.
Example: Searching for fuzzy matches
| Search expression | roam~ |
| Matches |
roams foam |
Proximity search
Proximity search uses the tilde ~ symbol at the end of a phrase to find keywords from the phrase that are within the specified distance from each other.
Example: Proximity search
| Search expression | "keyword1 keyword2"~10 |
| Matches | (returns hits that contain keyword1 and keyword2 within 10 words from each other) |
Adjusting the relevance of search terms
By default, every keyword or phrase of a search expression is treated as equal. Use the caret ^ symbol to make a keyword or expression more important than the others.
Example: Adjusting the relevance of search terms
| Search expression | keyword1^4 keyword2 |
| Matches | (returns hits that contain keyword1 and keyword2, but keyword1 is 4-times more relevant) |
| Search expression | "keyword1 keyword2"^5 "keyword3 keyword4" |
| Matches | (returns hits that contain keyword1 keyword2 and keyword3 keyword4, but keyword1 keyword2 is 5-times more relevant) |
Export the audit trail as video
The following describes how to export an audit trail as a video file (optionally including the accompanying subtitles). Note that you must open the audit trail in order to export it.
Prerequisites:
The exported files use the WEBM format with the VP8 codec. You can replay WebM videos in most modern browsers, and several media player applications. For details, see the Playing WebM Video page. Note that for Internet Explorer, you must install an add-on.
To export an audit trail as a video file
-
Open the audit trail in the Safeguard Desktop Player application.
If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replay encrypted audit trails.
-
Click EXPORT > Export video.
-
If the audit trail contains multiple channels that can be replayed, select which channels you want to export.
-
To export the subtitles listing the user events that occurred in the session (window titles that appeared on the screen, commands executed, mouse activity, and keystrokes), select the Subtitle checkbox.
-
Click
, and select the directory where you want to save the video file.
-
Click EXPORT.
Sharing an encrypted audit trail
The following describes how to share an encrypted audit trail with a third party. Note that you must open the audit trail in order to export it.
-
If you want the third party to be able to replay the audit trail with the Safeguard Desktop Player, complete the following steps. Currently you can do this only using the command line.
Prerequisites:
This procedure involves encrypting the audit trail with an encryption key that you can share with the third party. Encrypting audit trails requires an X.509 certificate in PEM format that uses an RSA key.
You will also need the audit trail file that you want to share, and the encryption key(s) required to replay it. You cannot use this procedure to encrypt an audit trail that is not already encrypted.
NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.
One Identity recommends using 2048-bit RSA keys (or stronger).
To share an encrypted audit trail with a third party
Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.
-
Specify the audit trail to process, its decryption key, the new audit trail file, and the new encryption key.
Windows: adp.exe --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>
Linux or MacOS: ./adp --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>
If the audit trail is encrypted with multiple keys, repeat the --key <keyfile.pem:passphrase> option. Include the colon (:) character even if the key is not password-protected. For example:
./adp --task rekey --file /tmp/ssh-171128T1353-frobert-frobert-10.30.255.68.zat --key /tmp/indexer-certificate-key.pem: --out /tmp/shared-ssh.zat --new-cert /tmp/new-encryption-certificate.pem
-
Open the output file in the Safeguard Desktop Player and import the private key of the certificate you used to re-encrypt the audit trail. Verify that you can replay the audit trail. If it is working as expected, you can share the re-encrypted audit trail file and the private key with third parties, they will be able to replay the audit trail using the SPS application.
Replay X11 sessions
The Safeguard Desktop Player application can replay audit trails that contain graphical X11 sessions (the contents of the X11 Forward channel of the SSH protocol). You can replay X11 sessions similarly to other audit trails, but note the following points.
-
X11 sessions can contain several different X11 channels. For example, some applications open a separate channel for every window they display. The Safeguard Desktop Player application automatically merges these channels into a single channel, to make reviewing the sessions easier. Since these audit trails can contain SSH terminal channels as well, you can choose between replaying the SSH sessions and the X11 session in the CHANNELS > X11 section of the audit trail data.
-
If you need the list of X11 channels that the audit trail contains, they are listed in CHANNELS > X11 > channel_ids section of the audit trail data.
-
The Safeguard Desktop Player stores the fonts used to display the texts in the audit trail in the <desktop-player-installation-folder>/fonts folder.
