Manage session logs
After an SSH or RDP session ends, the Okta Privileged Access gateway encrypts and stores the session logs. You can use the Okta Privileged Access client to export, decode, verify, and review the logs. Okta Privileged Access uses the client to ensure session logs aren't tampered with by an attacker. Teams can manage session logs with the sft session-logs command. See Use the Okta Privileged Access client.
Before you begin
- Install and enroll the Okta Privileged Access client. See Install the Okta Privileged Access client.
- Move the log files to a location accessible by the Okta Privileged Access client.
- Modify the read permissions so the client can access the session logs. On Linux, use the chmod command.
- To review RDP session logs, you must Install RDP Transcoder.
Review SSH session logs
You can use the popular asciinema tool to replay exported session logs. While Okta doesn't maintain this program, teams can easily export session logs to a format readable by asciinema. The following commands are simple examples of how to review the session logs. For additional information, see the asciinema documentation.
- Open a terminal window and export a session log to asciinema format with the following command.
sft session-logs export --format asciinema yourSessionLog.asa --output exportedSession.cast
- Replay the exported log with the following command.
asciinema play exportedSession.cast
- Optional. Print the exported log to stdout with the following command.
asciinema cat exportedSession.cast
Review RDP session logs
After an RDP session is recorded and stored on the Okta Privileged Access gateway, the binary .asa format can be transcoded to .mkv video format.
- Open a terminal window and export a session log to .mkv video format with the following command. To use more advanced syntax, see Use the Okta Privileged Access client.
sft session-logs export /path/source-file.asa --format mkv --output /path
- Go to the location where the .mkv file is exported and use a GUI video player to replay the recording.
Decode session logs
Use the following command to decode the raw Base64 encoded data. By default, decoding a log returns both incoming and outgoing characters.
sft session-logs export yourSessionLog.asa | jq -r '.frames[] | .logRequest.io.data' | base64 -d
For a cleaner output, use the following command to only decode outgoing characters:
sft session-logs export yourSessionLog.asa | jq -r '.frames[] | select (.logRequest.io.direction == "OUTGOING") | .logRequest.io.data' | base64 -d