Skip to main content
Skip table of contents

Support access audit logs

This topic describes how terminal session audit logging works within the Delphix OS. These logs contain keystroke by keystroke recordings of all terminal activity during a given shell session initiated by a super user (Delphix support).

Overview

Super user activity by Delphix support is recorded to an individual log file for each shell session. Each log file is named using the format session_<shell user ip>_<epoch timestamp>. The contents of the logs include commands entered into the shell and the output of those commands. Timestamps are additionally prepended to each line of the log to facilitate assessing the timeline of events.

Session logs created during a super user shell session are kept forever unless deleted by a Delphix engine SYSTEM user.

Listing the session audit logs

Super user session logs can be reviewed/deleted through the CLI or API and downloaded through the API only. Any DOMAIN or SYSTEM user can list the current logs or download a given log file but only SYSTEM users can delete them. To review a list of the session logs currently present on a Delphix engine:

  1. Login to the Delphix CLI using admin or sysadmin credentials.

  2. Navigate to superuser session and press enter.

  3. Use list or ls to view the files.

BASH 
ip-12-345-678-90 superuser session> ls
Objects
NAME                                 IPADDRESS      STARTTIMEUTC              DURATION
session_123.45.678.90_1686923517171  123.45.678.90  2023-06-16T13:51:57.171Z  20sec
session_123.45.678.90_1686923559856  123.45.678.90  2023-06-16T13:52:39.856Z  439sec
session_123.45.678.90_1686924008788  123.45.678.90  2023-06-16T14:00:08.788Z  87sec

Here is an example of calling the list API directly using curl:

BASH 
curl -b ~/cookies.txt -X GET "http://mydelphixengine.myorg.com/resources/json/delphix/superuser/session"

Downloading a session audit log

Any DOMAIN or SYSTEM user can download a super user session log file via the Delphix API. Here is an example of calling the download API using curl:

BASH 
curl -v -O -J "http://mydelphixengine.myorg.com/resources/json/delphix/superuser/session/download?sessionLogName=session_123.45.678.90_1686923517171" -b ~/cookies.txt

Reviewing a session audit log

It is recommended that session logs be viewed through a program such as cat, which is capable of interpreting control characters. This is because the logs not only include key strokes and terminal output, but also the control characters that dictate how that output was formatted and displayed, ensuring that the logs reflect what was actually seen during the shell session as accurately as possible. It is also possible to view the logs using any text editor, but in most cases this will be more difficult to read because the control characters themselves will be visible. Here is a snippet from a brief session log as it might be displayed by cat:

BASH 
[2023-06-16T13:52:28.061Z] delphix:~$ echo testing 123
[2023-06-16T13:52:28.062Z] testing 123
[2023-06-16T13:52:30.599Z] delphix:~$ exit

Note that each line of the log includes a timestamp. This timestamp is prepended to each line as the log is written. It is not from the session terminal output, but rather is provided to more conveniently assess the timeline of a given session. The timestamp is generated in the instant before a given command is executed rather than when the prompt was first printed to the terminal to maximize its accuracy.

Limitations

Shell activity that involves opening a pager or buffer (e.g. less, more, vi, etc.) may not be fully reflected in the session log, though the command that initiates the pager/buffer will be present. For example, if a super user opens a file in vi for editing, the line to open the file would be present, followed by the next command run after vi was closed. 

Deleting a session audit log

These audit logs are meant to live as long as they are needed, and thus are not governed by a retention policy. Should you wish to delete a log this can be done by SYSTEM users only through the Delphix CLI or API. To use the CLI:

  1. Login to the Delphix CLI using sysadmin credentials.

  2. Navigate to superuser session and press enter.

  3. Review the current log files using list or ls

  4. Select the log file that you wish to delete.

  5. Use list or ls to review the log details and confirm this is the log you want to delete.

  6. Type delete and press enter.

  7. Type commit and press enter to delete the log.

BASH 
ip-12-345-678-90 superuser session> select "session_123.45.678.90_1686923517171"
ip-12-345-678-90 superuser session 'session_123.45.678.90_1686923517171'> ls
Properties
    type: SuperuserSession
    name: session_123.45.678.90_1686923517171
    duration: 20sec
    ipAddress: 123.45.678.90
    reference: SUPERUSER_SESSION-session_123.45.678.90_1686923517171
    startTimeUTC: 2023-06-16T13:51:57.171Z

Operations
delete
ip-12-345-678-90 superuser session 'session_123.45.678.90_1686923517171'> delete
ip-12-345-678-90 superuser session 'session_123.45.678.90_1686923517171' delete *> commit
ip-12-345-678-90 superuser session> ls
Objects
NAME                                 IPADDRESS      STARTTIMEUTC              DURATION
session_123.45.678.90_1686923559856  123.45.678.90  2023-06-16T13:52:39.856Z  439sec
session_123.45.678.90_1686924008788  123.45.678.90  2023-06-16T14:00:08.788Z  87sec

The delete API can also be called directly. Unlike the download API, delete requires the session log reference, which is always SUPERUSER_SESSION-<log name>.Here is an example of calling the delete API using curl:

BASH 
curl -X POST "http://mydelphixengine.myorg.com/resources/json/delphix/superuser/session/SUPERUSER_SESSION-session_123.45.678.90_1686923517171/delete" -b ~/cookies.txt
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close