Skip to content

Auditing Sessions: Session Transcript

SSH proxy and Web SSH sessions can be configured to capture a full session transcript. A session transcript contains the complete input and output exchanged during an SSH session, including user keystrokes and system responses, presented in chronological order.

Depending on the user's assigned Access Profile, session recording may be enabled or disabled. When enabled, the full SSH transcript can be downloaded in a plain text format.

The downloaded text based transcript file is suitable for:

  • Full-text search and investigation
  • Integration with SIEM or log management platforms
  • Long-term archival and compliance requirements
  • Offline review and analysis

Architecture and Requirements

Session transcript collection behavior depends on the session type and the gateway through which the session is established.

Local Gateway Sessions

SSH Proxy sessions and Web SSH sessions routed through a local gateway require no additional configuration. Transcript collection operates out-of-the-box once session recording is enabled in the user's Access Profile.

Remote Gateway Sessions (Web SSH)

For Web SSH sessions routed through a remote gateway, additional configuration is required.

In this architecture, the transcript recording component operates on the remote gateway node, not on the main PAM node server. When a Web SSH session is initiated through a remote gateway:

  • The session transcript is generated and stored locally on the remote gateway node.
  • The main PAM server retrieves the transcript asynchronously via the Main <–> Peer REST API communication channel.

For transcript retrieval to function correctly, the remote peer node must have the Operations Service (REST API) properly configured and enabled.

The following Operations Service parameters must be correctly configured on the remote peer node:

  • Includes Operations Service enabled
  • Service URL defined
  • Valid Access Token API token configured
  • Trust verification with the main server established
  • Host alias configuration (if required for host matching)

Configuration Reference: For detailed instructions on configuring the Peer Node Operations Service (REST API), including service enablement, URL configuration, API token management, trust verification, and host alias settings, refer to the official documentation: Peer Node Configuration

If the Operations Service on the Remote Gateway Node is:

  • Disabled, or
  • Misconfigured (for example, an expired API token or incorrect URL),

the Proxy SSH or Web SSH session will still function normally, but the session transcript will not be collected.

Note

Important: Remote gateway deployments do not collect Web SSH transcripts out-of-the-box. The peer node must have the Operations Service (REST API) fully configured and operational in order for transcripts to be available in the Sessions Report.

Accessing the SSH Session Transcript

Users with the appropriate permissions can download the SSH session transcript through the Sessions Report.

There are two primary ways to access the session details:

  • From a specific asset where the session occurred:
    Navigate to the asset's View page, then go to Reports > Sessions. Locate the relevant session and select Actions > Session Transcript to export the full SSH session transcript as a text file.
  • From the global Sessions report:
    System Administrators and Auditors can access all recorded sessions via the left-hand navigation menu under Reports > Sessions. From the session list, select the desired session and choose Actions > Session Transcript.

Session Report - Session Transcript Option

Transcript Format

The downloaded transcript includes the complete chronological record of:

  • User input entered during the SSH session
  • System and host output returned during the session
  • Interactive command responses as displayed to the user

The file is provided in standard text (.txt) format to ensure compatibility with external tools and log analysis systems.