Manage session logs
After an SSH or RDP session ends, the Advanced Server Access gateway encrypts and stores the session logs. You can use the Advanced Server Access client to export, decode, verify, and review the logs. Advanced Server Access uses the client to ensure session logs aren't tampered with by an attacker. Teams can manage session logs with the sft session-logs command. See Use the Advanced Server Access client.
- Install and enroll the Advanced Server Access client. See Install the Advanced Server Access client.
- Move the log files to a location accessible by the Advanced Server Access client.
- Modify the read permissions so the client can access the session logs. On Linux, use the chmod command.
- To review RDP session logs, you must Install the RDP Session transcoder
Review SSH session logs
You can use the popular asciinema tool to replay exported session logs. While Okta doesn't maintain this program, teams can easily export session logs to a format readable by asciinema. The following commands are simple examples of how to review the session logs. For additional information, see the asciinema documentation.
- Open a terminal window and export a session log to asciinema format with the following command.
sft session-logs export --format asciinema yourSessionLog.asa --output exportedSession.cast
- Replay the exported log with the following command.
asciinema play exportedSession.cast
- Optional. Print the exported log to stdout with the following command.
asciinema cat exportedSession.cast
Review RDP session logs
After an RDP session is recorded and stored on the Advanced Server Access gateway, the binary .asa format can be transcoded to .mkv video format.
- Open a terminal window and export a session log to .mkv video format with the following command. To use more advanced syntax, see Use the Advanced Server Access client .
sft session-logs export /path/source-file.asa --format mkv --output /path
- Go to the location where the .mkv file is exported and use a GUI video player to replay the recording.
Decode session logs
Use the following command to decode the raw Base64 encoded data. By default, decoding a log returns both incoming and outgoing characters.
sft session-logs export yourSessionLog.asa | jq -r '.frames | .logRequest.io.data' | base64 -d
For a cleaner output, use the following command to only decode outgoing characters:
sft session-logs export yourSessionLog.asa | jq -r '.frames | select (.logRequest.io.direction == "OUTGOING") | .logRequest.io.data' | base64 -d