Bastionhost records every O&M (operations and maintenance) engineer's activity as a session. When a session ends, Bastionhost generates an operation record. Auditors can search these records and play back session recordings to detect unauthorized operations.
Session types
The following table describes what each session type captures:
| Session type | Protocol | What you can view |
|---|---|---|
| Graphic Text | RDP (Remote Desktop Protocol) | Text-based audit logs. Two event sub-types: Graphic Text (recorded by default on Windows Server 2008 and earlier) and Keyboard Command (not recorded by default; enable in Control Policies). |
| Commands | SSH (Secure Shell) | Audit logs of commands executed during the session. EXEC command content is visible here only — not through session playback. |
| File Transfer | — | Audit logs of file operations: uploads, deletions, and renames. |
| Database Audit | — | SQL statements and their execution results. |
| Log Backup | — | O&M logs backed up by Bastionhost. See Log backup. |
Search for and play back sessions
Log on to the Bastionhost console. In the top navigation bar, select the region where your Bastionhost instance is located.
In the list of Bastionhost instances, find the target instance and click Manage.
In the navigation pane on the left, choose O&M Audit > Session Audit.
Select the tab for the session type you want to audit.
In the Filters area, configure search conditions and click Search. You can configure search conditions based on criteria such as host IP addresses, session usernames, and session IDs. To save a filter for later reuse, click Save, enter a name in the Filter Template field, and click OK. The saved template appears in the Default Condition list in the upper-right corner of the session list.
In the session list, find the target session and choose an action in the Actions column:
Play — plays back the O&M session recording.
Details — opens the Session Details dialog, where you can view basic information about the session, the user, and the host.
If you select Keystroke Logging when configuring RDP Options for a control policy, keyboard operation audit logs from RDP O&M sessions appear in the session list. For more information, see Configure a control policy.
What's next
Configure a control policy — enable keystroke logging and other audit options for RDP sessions.
Log backup — manage O&M logs backed up by Bastionhost.