To increase the log level of the non-connection-related events, for example, to add the commands executed by the One Identity Safeguard for Privileged Sessions (SPS) web interface to the logs, enable debug level logging at Basic Settings > Management > Verbose system logs > Enable.
These logs are accessible at /var/log/scb-<day>.
Our Support Team uses this to investigate the reasons behind a web user interface-related issue.
Logs generated by the SPS web interface.
System daemon logs.
Logs of periodic cron jobs.
The connection logs contain all connection-related information of the past week, one file per day. A file contains all logs for all connections for a single day.
The logging level of One Identity Safeguard for Privileged Sessions (SPS) can be set separately for every protocol. To change the verbosity level of SPS, navigate to <Protocol name> Control > Global Options.
These logs are accessible at /var/log/zorp-<protocol-name>-<day>.
The verbosity level ranges from 1 (no logging) to 10 (extremely detailed), with level 4 being the default normal level. To debug complex problems, you might have to increase the verbosity level to 7. Higher level is needed only in extreme cases.
High verbosity levels generate very large amount of log messages and might result in a very high load on the machine.
For log levels 8-10, the logs contain highly sensitive data for all connections, as well as passwords and private keys in plain text format.
Our Support Team uses this to investigate the reasons behind a failed connection.
Connection success/failure events
Other connection-related events
One Identity Safeguard for Privileged Sessions (SPS) automatically generates core dump files if an important software component (for example, Zorp) of the system crashes for some reason. These core dump files can be of great help to the One Identity Support Team to identify problems. When a core dump file is generated, the SPS administrator receives an alerting e-mail, and an SNMP trap is generated if alerting is properly configured (for details, see Configuring system monitoring on SPS and System logging, SNMP and e-mail alerts).
To list and download the generated core dump files, navigate to Basic Settings > Troubleshooting > Core files.
For details on core dump files, see: Gathering data about system problems.
The One Identity Support Team uses this to investigate the reasons behind a system crash.
The recorded state of the working memory of a computer program at a specific time, generally when the program has crashed or otherwise terminated abnormally.
In certain special scenarios, One Identity Safeguard for Privileged Sessions (SPS) may examine and audit network traffic with some limitations, depending on the configuration.
In the first scenario, your organization uses jump hosts to access remote servers or services. In this case, SPS ignores the connection between the target server and the remote server, as it does not go through SPS.
Figure 13: Connection to a remote server through a jump host
In the next scenario, a file operation is performed going from the target server to the client (for example, copying a file using SCP). In this case, the direction of the connection is switched, as compared to the initial client-to-server direction.
Figure 14: File operation in the "reverse" direction
In these scenarios, SPS may not:
Restrict channels allowed in the connection.
Audit file operations.
When you wish to search for the audit files of these connections, there will be no results returned on the Search page.
Allow authentication on the remote server if the user authenticates to the target server using a Credential Store.
If you want all connections in these scenarios to be audited, make sure that you add a connection policy for:
The connection between the target server and any remote servers.
The connection going from the target server to the client.