Manage session logs

After an SSH session ends, the Advanced Server Access gateway encrypts and stores the session logs. You can use the Advanced Server Access client to export, decode, verify, and review the logs. Advanced Server Access uses the client to ensure session logs aren't tampered with by an attacker. Teams can manage session logs with the sft session-logs command. See Use the Advanced Server Access client.

Before you begin

  • Install and enroll the Advanced Server Access client. See Install the Advanced Server Access client.
  • Move the log files to a location accessible by the Advanced Server Access client.
  • Modify the read permissions so the client can access the session logs. On Linux, use the chmod command.

Review session logs

You can use the popular asciinema tool to replay exported session logs. While Okta doesn't maintain this program, teams can easily export session logs to a format readable by asciinema. The following commands are simple examples of how to review the session logs. For additional information, see the asciinema documentation.

  1. Open a terminal window and export a session log to asciinema format with the following command.
    sft session-logs export --format asciinema yourSessionLog.asa --output exportedSession.cast
  2. Replay the exported log with the following command.
    asciinema play exportedSession.cast
  3. Optional. Print the exported log to stdout with the following command.
    asciinema cat exportedSession.cast

Decode session logs

Use the following command to decode the raw Base64 encoded data. By default, decoding a log returns both incoming and outgoing characters.

sft session-logs export yourSessionLog.asa | jq -r '.frames[] | .logRequest.io.data' | base64 -d

For a cleaner output, use the following command to only decode outgoing characters:

sft session-logs export yourSessionLog.asa | jq -r '.frames[] | select (.logRequest.io.direction == "OUTGOING") | .logRequest.io.data' | base64 -d

Related topics

Session capture

Use the Advanced Server Access client