Auditing Sessions: Event Recording

Both web-based and native client remote access sessions can be configured to record session events. Session events refer to actions that occur during a user's session, such as keystrokes, file transfers, and clipboard usage.

Depending on the user's assigned Access Profile, all, some, or none of these events may be recorded.

When session events are captured, they can be reviewed by auditors or other authorized users to understand the actions taken during a remote session.

Reviewing Session Events Recordings

Users with the appropriate permissions can access session event recordings through the Sessions Report.

There are two primary ways to access the Session Events Report:

From a specific asset where the session occurred:
Navigate to the asset’s View page, then go to Reports > Sessions, and select Actions > Session Events to view the full report for that session.
From the global reports:
System Administrators and Auditors can access the global Session Events report via the left-hand navigation menu under Reports > Session Events. This view provides a searchable list of all captured session events within the defined time range.

Regardless of the report access method, the session event details presented are consistent across views.

Report Columns

The Session Events Report includes the following columns. By default, sessions are sorted by the Created column in either ascending or descending order:

Asset: The name of the asset from the Asset Database where the session events occurred.
Start: Timestamp marking when the session event began.
Finish: Timestamp indicating when the session event ended.
Type: The type of session event. Possible types include:
- Keyboard: Recorded when the user types on the keyboard.
- Clipboard Download: Recorded when clipboard text is transferred from the endpoint to the local device.
- Clipboard Upload: Recorded when clipboard text is transferred from the local device to the endpoint.
- File Download: Recorded when a file is transferred (downloaded) from the endpoint to the local device.
- File Upload: Recorded when a file is transferred (uploaded) from the local device to the endpoint.
- File Listing: Recorded when the user retrieves a file list from the remote endpoint.
- Exec: A recorded SSH Exec session event, downloadable as output.zip, which may include the following:
  - The original command executed (potentially large, especially when triggered by automation tools)
  - The command’s standard output (stdout), which may also be large
  - The command’s error output (stderr), if any
  - The command’s input stream, if any data was captured
  These Exec type of events are commonly generated by infrastructure automation tools such as Ansible or Terraform, which often execute complex or high-volume SSH commands.
MIME Type: The content type of the transferred data.
Preview: A snippet or summary of the event, such as typed commands or clipboard text.
Name: (File transfers only) The name of the file involved in the transfer. Name column will be empty if the event was not a file transfer.
Size: (File transfers only) The size of the file transferred.
User: The username of the individual who performed the session actions.
Session ID: A unique identifier assigned to the session for reference purposes.

Downloading Transferred Files

Files transferred during a session, specifically those from File Upload or File Download events, can be downloaded from the 12Port application for further review. To download a transferred file:

Open the Session Events report
Locate the desired File Upload or File Download event.
Click the expansion arrow to Show Details of the session event.
In the Name column, click the file name (displayed as a hyperlink) to initiate the download.
The file will begin downloading via your browser.

Once downloaded, the file can be accessed from your local file system as with any standard file downloaded through the web browser.