17.2.2. Procedure – Replaying a session with the Audit Player

Purpose: 

To replay a session, complete the following steps:

Figure 17.1. Replaying an audit trail

Replaying an audit trail

Steps: 

  1. Open an audit trail to replay using one of the following methods:

    • Start the Audit Player application. Select File > Add Audit Trail and select an audit trail file.

    • Double-click on the audit trail file in Windows Explorer. Note that this method does not work when opening an audit trail that has accented characters in its filename or pathname and the operating system does not natively support accented characters (for example, opening a file called ellenőrzött-adminisztrátori-kapcsolat.zat will fail on Windows using English locale).

    AP opens the file and displays the sessions stored in the file in the Project Trails panel.

    Note

    To open multiple audit trails, use the Shift and the Control keys.

    If the audit trail is encrypted, you must import the private key of the certificate used to encrypt the audit trail before trying to replay the audit trail. For details, see Section 17.3.3, Replaying and processing encrypted audit trails.

    The extension of the audit trail files is .log or .zat. Its name consists of audit-scb-protocolname-timestamp-sequencenumber.

  2. Double-click on the stream you want to replay. The session will be displayed in a new window.

  3. Wait until AP processes the stream. The progress of the processing is indicated on the timeline as an orange bar. Click Play.

    Figure 17.2. Displaying user input

    Displaying user input
    • To adjust the replaying speed, adjust the Replay Speed option.

      Starting with Audit Player version 2012.1, the replay speed can be set to live. In live mode, AP replays the audit trail fast, skipping idle periods, and reverts to real-time replay when reaching the end of the current trail. This is the default replay mode for replaying live streams (clicking Follow in the PSM web interface).

    • To display the characters (for example commands, passwords, and so on) that the user typed in the session, enable Show user input. The available keyboard layouts are: English, French, German, Hungarian and Russian. The user input will be displayed above the time bar. Note that the appropriate decryption keys are needed to display the user input if the upstream traffic is encrypted with a different set of certificates.

    • To scale the rendered image to the actual window size, enable Auto scale. It is available for ICA, RDP, VNC and X11 protocols.

    • To view the replayed audit trail in full screen mode, double-click on the replay window, or press F11. When in full screen mode, Auto scale and Show user input settings cannot be changed.

    Tip

    The following hotkeys are available during playback:

    • Page Up / Page Down: Jump forward/backward one fifth of the stream.

    • Home / End: Jump to the beginning/end of the stream.

    • Left / Right: Jump forward/backward one tenth of the stream.

    • Up / Down: Jump to the previous/next audit trail.

    • F11: Toggle full screen mode.

    Tip

    To export a session into packet capture (PCAP) format, select the session, then select Export to PCAP from the local menu.