17.3.1. Finding specific audit trails

Organizing the audit trails is simple. Every loaded audit trail is displayed in the Project Trails tab. To open a new tab, select File > New Trailset and enter a name for the trailset. After that, you can drag-and-drop the interesting streams to this tab, or right-click a stream and select Copy to another set or Move to another set.

To remove a stream from a trailset, click on the stream and select Delete from the local menu. Deleting a stream from the Project Trails tab deletes the stream from every trailset.

To filter the audit trails available in a trailset, select Edit > Find, and enter your search keywords into the Text field. To search for special keys or events (for example hitting the Escape key, and so on), use the Key sequence field.

Warning

When searching audit trails of SSH and Telnet terminal sessions, the character encoding set in Edit > Preferences > Terminal encoding can affect the search results: if the session uses a different encoding, special characters might not be recognized and thus will be omitted from the search results.

Figure 17.8. Searching audit trails with AP

Searching audit trails with AP

To search in the metadata of the trails, select More Options > Trail properties. The following metadata is available for filtering:

  • Time: Use the From and To fields to filter on the duration of the streams matching the other search criteria.

  • Protocol: The protocol used in the stream: HTTP, SSH, RDP or Telnet.

  • Username: The username used in the session (if available).

  • Server IP: The IP address of the server connected by PSM.

    Use an IPv4 address.

  • Server Port: The port of the server connected by PSM. 0 matches for every port.

  • Client IP: The IP address of the client computer.

    Use an IPv4 address.

  • Client Port: The port of the client computer used to establish the connection. 0 matches for every port.

  • Connection: The session_id identifying the particular session.

  • Channel Type: The type of channel used in the stream (for example terminal session, drawing, and so on). See the list of supported channel types in the following sections: Chapter 8, HTTP-specific settings, Chapter 11, SSH-specific settings, Chapter 10, RDP-specific settings, and Chapter 12, Telnet-specific settings.

  • Channel Policy: The channel policy applied to the session.

In case of HTTP search, URLs and text content are searchable. The search results are visible in the tooltip of the search result line at the bottom (white lines). The tooltip includes the exchange ID number. After opening the filtered audit trail, only those exchanges are visible, that contain the filter expression. The search hit context is displayed in the Search hit context column. To display all exchanges, disable show search hits only. In this case, the exchanges that contain the filter expression are displayed with a blue background.