16.1.2. Procedure – Replaying audit trails in your browser



You can replay audit trails in the following ways: in your browser, using the Audit Player application, or using the Balabit Desktop Player application. Note that there are differences between these solutions.

Audit Player Browser Balabit Desktop Player
Works without installation - -
Works on any operating system Windows Windows, Linux
Can replay TN5250 sessions -
Can extract files from SCP and SFTP sessions - From the command line
Can replay HTTP sessions - Only exports raw files from the command line
Can start replay while rendering is in progress -
Can follow 4-eyes connections -
Can replay live streams in follow mode -
Can export to PCAP - -
Can search in the trail content -
Can display user input -
Export audit trail as video - -

For details on the Audit Player application, see Procedure 17.1.1, Installing the Audit Player application, Procedure 17.2.3, Replaying SCP and SFTP sessions, and Procedure 17.2.4, Replaying HTTP sessions.

To replay audit trails in your browser, see Procedure 16.1.2, Replaying audit trails in your browser.

For details on the Balabit Desktop Player application, see Balabit Desktop Player User Guide.


Even though the PSM web interface supports Internet Explorer and Microsoft Edge in general, to replay audit trails you need to use Internet Explorer 11, and install the Google WebM Video for Microsoft Internet Explorer plugin. If you cannot install Internet Explorer 11 or another supported browser on your computer, use the Audit Player or the Balabit Desktop Player application (for details, see Chapter 17, Replaying audit trails with Audit Player). For details, see Procedure 16.1.2, Replaying audit trails in your browser.

To replay an audit trail in your browser, complete the following steps.


  1. On the Search > Search page, find the audit trail you want to replay.

    Figure 16.7. Search > Search — Browse the connections database

    Search > Search — Browse the connections database
  2. Optional step: To replay encrypted audit trails, upload your permanent or temporary keys to the User menu > Private keystore. For more information, see Procedure 16.1.3, Replaying encrypted audit trails in your browser.

  3. Click to display the details of the connection.

  4. Click to generate a video file from the audit trail that you can replay. Depending on the load of the indexer and the length and type of the audit trail, this can take several minutes (to cancel processing the audit trail, click ). The Video status field shows the progress of the this process.

    When the video is available, changes to .

    Figure 16.8. Search > Search — Audit trail details

    Search > Search — Audit trail details
  5. To replay the video, click . The Player window opens.

  6. The Player window has the following controls.

    Figure 16.9. Replaying audit trails in your browser

    Replaying audit trails in your browser
    1. : Play, Pause

    2. , : Jump to previous event, Jump to next event

    3. : Adjust replay speed

    4. : Time since the audit trail started / Length of the audit trail. Click on the time to show the date (timestamp) of the audit trail.

    5. : List of keyboard events. Special characters like ENTER, F1, and so on are displayed as buttons. If the upstream traffic is encrypted, upload your permanent or temporary keys to the User menu > Private keystore to display the keyboard events.

    6. : Active mouse button

    7. : Create a screenshot

    8. : Show / hide events. Select the types of events to display. Depending on the protocol used and how the audit trail was processed, PSM can display keyboard events, commands, mouse events, and window titles. Commands and window titles are displayed as subtitles at the top of the screen.

    9. : Fullscreen mode

    10. : Progress bar

    11. : Shows the distribution of events. Blue - commands, green - keyboard events, yellow - mouse events, orange - window title.

    12. : Close the player, and return to the Connection details page.