Manage session logs

After an SSH or RDP session ends, the Advanced Server Access gateway encrypts and stores the session logs. You can use the Advanced Server Access client to export, decode, verify, and review the logs. Advanced Server Access uses the client to ensure session logs aren't tampered with by an attacker. Teams can manage session logs with the sft session-logs command. See Use the Advanced Server Access client.

Before you begin

Review SSH session logs

You can use the popular asciinema tool to replay exported session logs. While Okta doesn't maintain this program, teams can easily export session logs to a format readable by asciinema. The following commands are simple examples of how to review the session logs. For additional information, see the asciinema documentation.

  1. Open a terminal window and export a session log to asciinema format with the following command.

    sft session-logs export --format asciinema yourSessionLog.asa --output exportedSession.cast

  2. Replay the exported log with the following command.

    asciinema play exportedSession.cast

  3. Optional. Print the exported log to stdout with the following command.

    asciinema cat exportedSession.cast

Review RDP session logs

After an RDP session is recorded and stored on the Advanced Server Access gateway, the binary .asa format can be transcoded to .mkv video format.

  1. Open a terminal window and export a session log to .mkv video format with the following command. To use more advanced syntax, see Use the Advanced Server Access client .

    sft session-logs export /path/source-file.asa --format mkv --output /path

  2. Go to the location where the .mkv file is exported and use a GUI video player to replay the recording.

Decode session logs

Use the following command to decode the raw Base64 encoded data. By default, decoding a log returns both incoming and outgoing characters.

sft session-logs export yourSessionLog.asa | jq -r '.frames[] | .logRequest.io.data' | base64 -d

For a cleaner output, use the following command to only decode outgoing characters:

sft session-logs export yourSessionLog.asa | jq -r '.frames[] | select (.logRequest.io.direction == "OUTGOING") | .logRequest.io.data' | base64 -d

Related topics