The Client Sessions List
To view monitored sessions, click the Monitoring Results navigation link on the left, and make sure the Client Sessions tab is selected.
The filters and the Search box at the top of the page can be used to search the session data, and a Forensic Export can also be performed.
The list of all Client sessions is displayed in the form of grid, which displays the following information in the corresponding default columns (with the Total number of sessions listed shown towards the top right of of the page):
• Play: The .
icon can be clicked to open the session in the Session ViewerNOTE: The session can also be played by double-clicking anywhere on the session record.
• Alerts: If any alerts events have been detected in the session, a special icon in displayed, where the color of the alert icon corresponds to the highest alert risk level detected in the session:
- Alerts with the Critical risk level are indicated by a red (
) icon.- Alerts with the High risk level are indicated by an orange (
) icon.- Alerts with the Normal risk level are indicated by a blue (
) icon.• User Name: The name of the user logged in to the Client computer.
NOTE: If secondary user authentication is enabled on the Client, the User Name is displayed as: <Windows/Linux user logged in> (<secondary authentication user>), or if the use of one-time passwords is enabled on the Client, the User Name is displayed as: <Windows user logged in> (<user’s email address>).
• Client Name: The name of the computer on which the Client is installed (with the operating system type of the computer with the Client installed displayed as an icon to the left of the computer name).
• Remote Host Name: The name of the remote computer from which the connection to the Client computer is established.
• IP (toggle switch): The IPv4/IPv6 address of the Client computer.
• Start: The date and time when the session started.
• Finish: The time when the session finished (where the
icon is displayed, if the session has the Live status).• Duration: The duration of the finished session (where this field is empty if the session has the Live status).
To add other columns to the grid (or hide columns, or change the order of the columns in the grid), click the Column Display button (in the top right of the page), and in the Manage Columns pop-up window that opens, select the checkboxes next to the following column names to display them in the grid (and change the order in which the columns are to be displayed in the grid by using the up and down arrow icons), and then click the Close button:
• Risk Score: The severity level of the session is indicated by the risk score icon displayed, which can be clicked on to view the abnormal user behavior patterns and alert events detected in the session on the Session Risk Score page:
- Sessions with a Critical risk score are indicated by a red (
) icon.- Sessions with a High risk score are indicated by a orange (
) icon.- Sessions with a Normal risk score are indicated by a green (
) icon.• Last Activity: The date and time of the last created screen capture or last Linux command executed.
• Remote IPv4: The local IPv4 address of the remote computer from which the connection to the Client computer is established.
• Remote IPv6: The local IPv6 address of the remote computer from which the connection to the Client computer is established.
NOTE: If the user logs in to the Client computer remotely after the Client session has already started using one of the following remote desktop applications, the remote IP address will not be detected: DameWare, Radmin, UltraVNC, or TightVNC.
• Remote Public IPv4: The public IPv4 address of the remote computer from which the connection to the Client computer is established.
• Remote Public IPv6: The public IPv6 address of the remote computer from which the connection to the Client computer is established.
• Domain: The name of the domain to which the Client belongs.
• Description: A custom description of the Client.
• User's Comments: The user’s comment entered on login to the Client computer (or for remote Linux X-forwarded sessions: the text "x-forwarded app:" followed by the application name).
• Client Groups: The names of the Client groups to which the Client belongs (where if the Client only belongs to the All Clients group, the column is empty).
• Time Zone: The time zone of the Client computer, shown in UTC (Coordinated Universal Time), where if the time zone is changed, the current session ends and a new one is created.
NOTE: The Time Zone column is empty for sessions recorded before updating to the current version of Ekran System.
To filter the sessions in the list (which can be filtered by multiple filters at once):
• Click the required filter (Who, When, or Where) at the top of the page, and specify the required filtering criteria.
NOTE: When filtering by the Who filter, the default value is to only display the first 1,500 session records. This value can be modified by adding the SessionsFilteredByUserMaxCount key to the EkranServer.Settings.config file and changing its value (specified as the number of sessions to be displayed, e.g. <add key="SessionsFilteredByUserMaxCount" value="10000" />) as required. The .config file can be found in the C:\Program Files\Ekran System\Ekran System\Server folder on the computer where the Application Server is installed.
• Optionally, click the More criteria button to add additional filters to the top of the page (from the list of additional filters displayed).
To search the sessions in the list:
• Enter a keyword (or part of a keyword) into the Search by field (in the top right of the page), and then click the Search ( ) icon (on the right) or press Enter.
• Click the button (on the right of the Search by field), and then select any of the following options:
- Browse keywords: To upload a .txt file containing the search keywords (separated by semicolons).
- Search in First (10, 100, 500, 1000, or all sessions): To select the number of most recent sessions to search in.
- Search in output (Linux) checkbox: To include Linux command output in the search.
- Search keystrokes: To include keystrokes in the search.
To update the sessions list, click the Refresh (
) button.To sort the sessions in the list, click the required column header, and the column sort order can be changed from descending to ascending, or vice versa, by clicking the column header again, as indicated by the up/down arrow icon in the column header (where the session list can only be sorted by one column at a time).
NOTE: If the data cannot be sorted by a column, the up/down arrow is not shown in the column header after clicking on it.
To adjust the width of the columns, place the cursor over the separator between the required column headers, and drag and drop the separator left or right, as required.
To change the number of session records displayed per page, select the required option on the Results on page drop-down list (in the bottom right of the page).
To export the sessions displayed in the list (including after filtering), click on the
icon on the right of the Client Sessions tab, and on Export Filtered Sessions drop-down menu that opens, select the required option (either Export to CSV or Forensic Export).