15.1. Procedure – Configuring the internal indexer

Purpose: 

To configure PSM to index the audit trails, complete the following steps.

Indexing is a resource intensive (CPU and hard disk) operation, and depending on the number of processed audit trails and parallel connections passing PSM, may affect the performance of PSM. Test it thoroughly before enabling it in a production environment that is under heavy load. If your PSM appliance cannot handle the connections and the indexing, consider using external indexers (see Section 15.2, Configuring external indexers) to decrease the load on PSM. For sizing recommendations, ask your Balabit partner or contact the Balabit Support Team.

Note that the minimum value of Backup & Archive/Cleanup > Archive/Cleanup policies > Retention time in days is 30 days when using the indexer service. If you previously had a setting lower than this, it will still archive the index after 30 days when the indexer service is used.

Note

Only those audit trails will be processed that were created after full-text indexing had been configured for the connection policy. It is not possible to process already existing audit trails.

Note

Using content policies significantly slows down connections (approximately 5 times slower), and can also cause performance problems when using the indexer service.

Steps: 

  1. Navigate to Basic Settings > Local Services > Indexer service.

    Figure 15.1. Basic Settings > Local Services > Indexer service > Configure the Indexer service of PSM

    Basic Settings > Local Services > Indexer service > Configure the Indexer service of PSM
  2. Define the Maximum parallel audit trails to index on box.

    This option determines the maximum number of parallel indexing and screenshot generating tasks that the PSM appliance performs. The default value is set to the number of detected CPU cores. Note that indexing audit trails requires about 50-100 Mbytes of memory for terminal sessions (SSH, Telnet, TN3270), and 150-300 Mbytes for graphical sessions (RDP, ICA, VNC, X11). Consider the memory usage of your PSM host before modifying this value.

  3. Optional step: If you have encrypted audit trails and you want to index them, upload the necessary RSA keys (in PEM-encoded X.509 certificates).

    Note

    Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.

    1. Click , and then click the first icon to upload the new certificate. A pop-up window is displayed.

      Select Browse, select the file containing the certificate, and click Upload. Alternatively, you can also copy-paste the certificate into the Certificate field and click Set.

    2. To upload the private key corresponding to the certificate, click the second icon. A pop-up window is displayed.

      Select Browse, select the file containing the private key, provide the Password if the key is password-protected, and click Upload. Alternatively, you can also copy-paste the private key into the Key field, provide the Password there, and click Set.

    3. To add more certificate-key pairs, click and repeat steps 3a and 3b.

    Tip

    If you want to search in the trail content on the web interface: to view screenshots generated from encrypted audit trails, you also have to upload the necessary certificates to your private keystore. For more information, see Procedure 16.1.3, Replaying encrypted audit trails in your browser.

  4. Click .

  5. Navigate to Policies > Indexer Policies.

  6. Two Indexer Policies are available by default, both with automatic language detection:

    • full_indexing: Slower, indexes the complete content of the screen, including all events

    • lightweight_indexing: Significantly faster, but it extracts only the executed commands (Command event) and the window titles (Window title event) that appear on the screen. It does not index any other screen content (for example, text that is displayed in a terminal or that appears in an RDP window).

      For example, in case of an SSH protocol, lightweight_indexing will index a command with parameters, such as cat --help, but will not index terminal printouts such as the help content itself.

    Note

    In case of graphical protocols, the default Optical Character Recognition (OCR) configuration is automatic language detection. This means that the OCR engine will attempt to detect the languages of the indexed audit trails automatically. However, if you know in advance what language(s) will be used, create a new Indexer Policy.

    To create a new Indexer Policy, click .

    Figure 15.2.  Policies > Indexer Policies > Manual language selection

    Policies > Indexer Policies > Manual language selection
  7. To configure what languages to detect, select Select languages manually for character recognition. Select the language(s) to detect. Note the following:

    • Specifying only one language provides the best results in terms of performance and precision.

    • The English language is always detected along with the non-English languages that you have configured. However, if you want the OCR to only recognize the English language, you have to select it from the list of languages.

    • There are certain limitations in the OCR engine when recognizing languages with very different character sets. For this reason, consider the following:

      • When selecting Asian languages (Simplified Chinese, Traditional Chinese, Korean, Thai), avoid adding languages that use the Latin alphabet.

      • When selecting the Arabic language, avoid selecting any other languages.

  8. Configure the Indexing policy for the Connection policy that you want to index:

    By default, the lightweight_indexing Indexing policy is enabled for every Connection policy with normal priority. If this is ideal for you, skip this step and continue with the next step. If you want to use a different policy, for example because you want to OCR the complete screen content, or because you have created a language-specific indexer policy, complete the following substeps.

    1. Navigate to the Control > Connections page of the traffic type (for example SSH Control), and select the connection policy to index.

    2. Figure 15.3. <Protocol name> Control > Connections > Enable indexing — Select Indexing Policy

      <Protocol name> Control > Connections > Enable indexing — Select Indexing Policy

      Select the Indexing Policy to be used. Both built-in Indexer Policies feature automatic language detection. To specify a particular language detection configuration, select the Indexing Policy you have created before (in Step 6).

    3. To determine the priority level of indexing this connection, select the appropriate Priority level. Selecting a high priority level means that the trails of this connection will be indexed first. Selecting a low priority level means that the trails of this connection will be indexed also, but there might be a delay in indexing if there are a lot of high-priority connections waiting to be indexed.

    4. Click .

  9. Check which channel policy is used in the connection, and navigate to the <Protocol name> Control > Connections page. Select the channel policy used in the connection to index.

  10. On the <Protocol name> Control > Channel Policies page, verify that the Audit option is selected for the channels you want to index (for example, the Session shell channel in SSH, or the Drawing channel in RDP).

  11. Click .

    Tip

    To verify that indexing works as configured, start a session that uses this connection policy (connect from a client to a server).

    When the session is finished, navigate to the Indexer > Indexer status page to verify that the indexer service is processing the audit trail.

    If the audit trails are encrypted, ensure that the required decryption keys have been uploaded to Basic Settings > Local Services > Indexer service > Indexer keys.