This is an Early Access feature. To enable it, contact Okta Support.
When a session ends, a recording of the session is saved to /var/log/sft/sessions. The filename contains a UTC timestamp, the Advanced Server Access team name, and the username of the session user in the format timestamp-teamname-username.asa. For example, a sample session log filename is 20200903T153818.5108-mycompany-myuser.asa
Before a session ends, the logs are stored in temporary storage (usually /tmp on Linux).
When gateways record sessions, the gateway cryptographically signs the session data as it's stored so that any tampering is detected. This prevents an attacker from manipulating a log file to erase their tracks if they were to gain access to where your session logs are stored.
Advanced Server Access generates signing key pairs and only stores the public key, which is used to validate logs. while the gateway uses the private key to sign logs. The signing key is rotated about every 24 hours.