Sessions History
The Session History feature allows you to view a comprehensive table of sessions, including both past and currently active sessions. This table provides valuable information about session establishment, including entity names and IDs associated with the session (such as users, workstations, and connectors), session status, and various time metrics (start time, end time, duration, etc).
Data Source and Data Retention¶
The session history data presented in the table is collected from the connector and security gateway. However, please note that this data may be incomplete and may not accurately reflect the real-time state of sessions. To ensure system efficiency, the data is retained for 30 days before being automatically removed.
The following table provides more details about the current data sources, including who each source applies to, their update interval, and the states they can change in the session history:
Data Source | Applies To | Update Interval | Effect (States Changed) |
---|---|---|---|
Connector | All sessions initiated through a connector | Single time per session | |
Security Gateway | All sessions being brockered by a security gateway if Session Tracking is enabled in connector settings | 5 minutes | |
Manager Session Cleaning Service | Sessions that left state and stopped receiving updates from other sources | 1 min |
Explanation of Table Columns:
- Data Source: The source of data that contributes to the session history.
- Applies To: Which sessions the data source applies to.
- Update Interval: The frequency at which the data source is updated or polled.
- Effect (States Changed): The session states that can be changed or updated by each data source.
Session Status
Attempted: Indicates that the session establishment was initiated
Active: The session is currently active
Unknown: Indicates that the session has stopped receiving updates
Ended: The session has ended
Filtering¶
Similar to other tables in the Admin Console, you can use the input field to filter the session history based on specific criteria. On the session history page, you have the option to filter by workstation or username.
Furthermore, you can choose to apply exact or partial matching filters.
Note
Partial matches may take longer to process.
Columns Description¶
The following table provides a description of the available columns in the session history table:
Name | Description | Data Type | Visible by Default | Sortable |
---|---|---|---|---|
Session ID | Unique identifier of the session | String | Yes | No |
User | User responsible for establishing the session | String (with link) | Yes | Yes |
User Guid | Globally Unique Identifier (GUID) of the user | String | No | No |
Status | Current status of the session | Icon representing the session status (Refer to the note below for possible session statuses) | Yes | Yes |
Start Time | Date and time when the session started | Date | Yes | Yes |
Last Update Time | Date and time of the last collected telemetry | Date | No | No |
End Time | Date and time when the session ended | Date | Yes | Yes |
Duration | Total duration of the session | String | Yes | Yes |
Connector | Connector used to establish the connection | String (with link) | Yes | No |
Connector ID | Identifier of the connector used for the connection | String (with link) | No | No |
Workstation | Name of the workstation used for the session | String (with link) | Yes | Yes |
Machine ID | Identifier of the workstation used for the session | String | No | No |
GUID
GUID (or UUID) stands for "Globally Unique Identifier" (or "Universally Unique Identifier"). It is a 128-bit integer number used to uniquely identify resources.
Session States Lifecycle¶
This section provides an overview of the lifecycle of session states and describes the associated time metrics during state transitions.
Every session starts in the attempted state. In this state, the session has the following time metrics:
- Start Time
- Last Updated Time (same as the start time)
- Session End (empty)
- Duration (empty)
Attempted to Active¶
During this transition, the session exhibits the following time metrics:
- Last Updated Time reflects the most recent update
- Session Duration reflects the most recent update
- Session End (empty)
Active to Ended¶
When the session transitions from Active to Ended, the time metrics are as follows:
- Last Updated Time reflects the most recent update time
- Session End (populated)
- Duration reflects the most recent update
Active to Unknown¶
When a session is without updates for 20 minutes, the time metrics are as follows
- Last Updated Time reflects the most recent update and indicates the "staleness" of information
- Duration reflects the most recent update
- Session End (empty)
Unknown to Active¶
During the transition from unknown to Active, the time metrics are as follows:
- Last Updated Time reflects the most recent update
- Duration reflects the most recent update
- Session End (empty)
Unknown to Ended¶
This transition occurs based on two different source behaviors:
- When 24 hours have passed since the start of the last session
- When another session becomes Active against the same workstation, indicating previous sessions have ended
Each behavior has different time metrics.
For the first behavior:
- Last Updated Time reflects the most recent update and potentially indicates the "staleness" of information
- Duration (unchanged)
- Session End populated with the last updated time
For the second behavior: - Last Updated Time reflects the most recent update - Duration reflects the most recent update - Session End (populated)