2.5. Indexing

PSM can index the contents of audit trails, making the records of privileged users' activities easily searchable.

Audit trails contain user activity data recorded from terminal sessions (such as SSH and Telnet) and graphical protocols (such as RDP, Citrix ICA, and VNC). Examples of data recorded in audit trails are: mouse activity, keystrokes, and so on. Using its own indexer service or one or more external indexers, PSM determines elements of the content visible on the user's screen at a given point in time. Screen content elements include commands, window titles, IP addresses, user names, and so on.

The indexer generates the following types of output as a result of processing the audit trail files:

  • text

  • screenshot files

  • replayable video files

PSM then takes the output of indexing and breaks that down into searchable units.

Figure 2.7, Indexing audit trail files and the process overview that follows describe how indexing works at a high level:

Figure 2.7. Indexing audit trail files

Indexing audit trail files
  1. PSM monitors and records the protocol traffic in the audited connections passing through PSM. Protocol traffic data is recorded in audit trail files.

  2. Once a connection has been closed, PSM sends the audit trail files to the indexer.

  3. The indexer parses the contents of the audit trail files, and builds an "inventory" of the privileged user's activity data based on what appeared on their screen.

    In the case of a terminal session, screen content corresponds to the activity data that is captured in a terminal window. In the case of graphical protocols, screen content is whatever is visible in the graphical user interface of the applications the user is interacting with. In the latter case, the indexer's Optical Character Recognition (OCR) engine extracts text that appeared on the screen (for example, window titles).

  4. The indexer returns the information extracted from the parsed audit trail files to PSM.

  5. PSM processes the outcome of parsing and OCR-ing done in the previous phase and makes the data searchable.

  6. Once indexed, the contents of the audit trails can be searched from PSM's web interface.

For details on how to configure PSM's internal indexer or one or more external indexers, see Chapter 15, Indexing audit trails.