Chapter 17. Replaying audit trails with Audit Player

PSM records information about the passing sessions into its connection database. Session information can be displayed online from the PSM web interface (for details, see Chapter 16, Browsing and replaying audit trails on PSM and Section 16.1, Searching audit trails — the PSM connection database). The Audit Player (AP) is a desktop application that can replay recorded audit trails, much like a media player replays movie files.

Warning

You can replay audit trails in the following ways: in your browser, using the Audit Player application, or using the Balabit Desktop Player application. Note that there are differences between these solutions.

Audit Player Browser Balabit Desktop Player
Works without installation - -
Works on any operating system Windows Windows, Linux
Can replay TN5250 sessions -
Can extract files from SCP and SFTP sessions - From the command line
Can replay HTTP sessions - Only exports raw files from the command line
Can start replay while rendering is in progress -
Can follow 4-eyes connections -
Can replay live streams in follow mode -
Can export to PCAP - -
Can search in the trail content -
Can display user input -
Export audit trail as video - -

For details on the Audit Player application, see Procedure 17.1.1, Installing the Audit Player application, Procedure 17.2.3, Replaying SCP and SFTP sessions, and Procedure 17.2.4, Replaying HTTP sessions.

To replay audit trails in your browser, see Procedure 16.1.2, Replaying audit trails in your browser.

For details on the Balabit Desktop Player application, see Balabit Desktop Player User Guide.

AP is available for the following 32-bit and 64-bit platforms:

  • Microsoft Windows XP

  • Windows Server 2003

  • Windows Vista

  • Windows Server 2008

  • Windows 7

  • Windows 8

  • Windows 8.1

  • Windows Server 2012

  • Windows Server 2016

The minimum resolution requirement for AP is at least 1024x600.

The AP application can currently replay the following session types:

  • SSH terminal sessions

  • Remote X11 sessions forwarded within the SSH traffic. Note that not the entire desktop is displayed, only the windows of the remotely-accessed application.

  • The Drawing channel (that is, the desktop) of RDP sessions (except for remote desktops that use the Aero graphical interface)

  • Telnet and TN3270 terminal sessions

  • VNC sessions

  • SCP sessions

  • SFTP sessions

  • HTTP sessions

The following sections explain in detail how to install and use the Audit Player:

Audit Player is only supported on the feature set of PSM 4 LTS.