Replaying audit trails with Audit Player

PSM records information about the passing sessions into its connection database. Session information can be displayed online from the PSM web interface (for details, see Chapter 16, Using the Search (classic) interface and Section 16.1, Searching audit trails — the PSM connection database). The Audit Player (AP) is a desktop application that can replay recorded audit trails, much like a media player replays movie files.


You can replay audit trails in the following ways: in your browser, using the Audit Player application, or using the Balabit Desktop Player application. Note that there are differences between these solutions.

Audit Player Browser Balabit Desktop Player
Works without installation - -
Works on any operating system Windows Windows, Linux
Can replay audit trails recorded with PSM 5 F4 and newer -
Can replay TN5250 sessions -
Can extract files from SCP, SFTP, and HTTP sessions -
Can replay HTTP sessions -
Can replay X11 sessions
Can start replay while rendering is in progress -
Can follow 4-eyes connections -
Can replay live streams in follow mode -
Can export to PCAP -
Can search in the trail content -
Can display user input
Can display subtitles for video - -
Export audit trail as video - -
Export screen content text - -

For details on the Audit Player application, see Procedure E.1.1, Installing the Audit Player application, Procedure E.2.3, Replaying SCP and SFTP sessions, and Procedure E.2.4, Replaying HTTP sessions.

To replay audit trails in your browser in Search (classic), see Procedure 16.1.2, Replaying audit trails in your browser in Search (classic).

For details on the Balabit Desktop Player application, see Balabit Desktop Player User Guide.

AP is available for the following 32-bit and 64-bit platforms:

  • Microsoft Windows XP

  • Windows Server 2003

  • Windows Vista

  • Windows Server 2008

  • Windows 7

  • Windows 8

  • Windows 8.1

  • Windows Server 2012

  • Windows Server 2016

The minimum resolution requirement for AP is at least 1024x600.

The AP application can currently replay the following session types:

  • SSH terminal sessions

  • Remote X11 sessions forwarded within the SSH traffic. Note that not the entire desktop is displayed, only the windows of the remotely-accessed application.

  • The Drawing channel (that is, the desktop) of RDP sessions (except for remote desktops that use the Aero graphical interface)

  • Telnet and TN3270 terminal sessions

  • VNC sessions

  • SCP sessions

  • SFTP sessions

  • HTTP sessions

The following sections explain in detail how to install and use the Audit Player:

Audit Player is only supported on the feature set of PSM 4 LTS.