View and manage session logs

This is an Early Access feature. To enable it, contact Okta Support.

You can view and manage SSH session recording logs. You can use various commands to export, decode, verify, and view the logs.

When a session ends, a recording of the session is saved to /var/log/sft/sessions. The filename contains a UTC timestamp, the Advanced Server Access team name, and the username of the session user in the format timestamp-teamname-username.asa. For example, a sample session log filename is 20200903T153818.5108-mycompany-myuser.asa

Before a session ends, the logs are stored in temporary storage (usually /tmp on Linux).

Note: Replace timestamp-teamname-username.asa in the commands in the following sections with the name of your log file.

Before you begin

Download and install asciinema. See asciinema.

You need an authenticated Advanced Server Access client that's enrolled in your team to run most of the commands that work with session log files. This is because the logs are signed by the gateway to prevent logs from being tampered with. The client retrieves the gateway's public key from the Advanced Server Access platform and uses it to verify that a log hasn't been tampered with.

Copy the log files to a location that the Advanced Server Access client can access. Since the files are stored with restrictive permissions, you may need to run chmod to change the permissions of the logs to allow the client to access them. For example, on Linux you can grant read access to everyone to the file 20200903T153818.5108-mycompany-myuser.asa by running the command chmod 444 20200903T153818.5108-mycompany-myuser.asa

Replay a session log using asciinema

  1. Export the log to asciinema format:
    sft session-logs export --format asciinema 20200903T153818.5108-demo3-demo.asa --output filename.cast
  2. Play the log using asciinema:
    asciinema play filename.cast

Export a log to JSON

You can use the following command to verify the integrity of the log and export it to JSON:

sft session-logs export timestamp-teamname-username.asa

Alternatively, you can export the log without verifying its integrity by using the command:

sft session-logs export --insecure timestamp-teamname-username.asa

You can use the --insecure option to export session logs without logging in to Advanced Server Access.

Verify the integrity of a log

You can verify the integrity of a log without outputting the log by using the command:

sft session-logs verify timestamp-teamname-username.asa

Decode a log

All input/output in a log file is Base64 encoded. You can use the following command to take the raw Base64 encoded log data and decode it:

sft session-logs export timestamp-teamname-username.asa | jq -r '.frames[] | .logRequest.io.data' | base64 -d

Print session to stdout

You can export the log to asciinema format and use the cat command to print the session to stdout as follows:

sft session-logs export --format asciinema 20200903T153818.5108-demo3-demo.asa --output filename.cast

asciinema cat filename.cast

Related topics

Session capture

Session logs