Replay encrypted audit trails
Replay encrypted audit trails 
 
The following describes how to replay an encrypted audit trail. To replay encrypted audit trails using the command line, see Replay encrypted audit trails from the command line.
Prerequisites:
- 
To replay encrypted audit trails, the private key of the certificate used to encrypt the audit trail must be available on the host running the Safeguard Desktop Player. On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Current User > Personal Certificate Store. 
- 
To validate digitally-signed audit trails, the respective CA certificates that issued the certificates used to sign the audit trail must be available on the host running the Safeguard Desktop Player. (This is the CA of the certificates set at Policies > Audit policies > Enable signing on the SPS interface.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities. 
- 
To validate timestamped audit trails, the CA certificate of SPS must be available on the host running the Safeguard Desktop Player. (This is the CA certificate of SPS set at Basic Settings > Management > SSL Certificates > CA X.509 Certificate.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities. 
The certificates and the private keys must be available as a file in PEM format, other formats are not supported. Note that on Microsoft Windows, you cannot import CA certificates from a shared drive. In this case, copy the certificate to a local folder and import it from there.
NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.
 
TIP: One Identity recommends using 2048-bit RSA keys (or stronger).
  
To replay an encrypted audit trail
- 
Open the encrypted audit trail. The Safeguard Desktop Player will attempt to decrypt and validate it. If the decryption or validation fails, the Safeguard Desktop Player notifies you on the screen. Click Warnings to see the fingerprint of the required certificate. 
- 
Import the required certificate. At the top, on the right, click  > Key/Certificate import. > Key/Certificate import.
 
- 
Click  , then select the certificate file. The certificates and the private keys must be available as a file in PEM format. Other formats are not supported. , then select the certificate file. The certificates and the private keys must be available as a file in PEM format. Other formats are not supported.
   
 
- 
Click Load. The Safeguard Desktop Player displays the details of the certificate. 
- 
Select how you want to store the certificate, then click Import. On Microsoft Windows, you can import the certificates into the Windows Certificate Store and reuse them later. On other platforms, Safeguard Desktop Player stores the certificates only temporarily, and automatically deletes them when you close the application. 
- 
If you want Safeguard Desktop Player to delete the certificate after you close the application, select Store temporarily only. 
- 
If you are importing a private key to decrypt an audit trail, select Store as personal certificate. 
- 
If you are importing a CA certificate to validate the timestamp or signature of the audit trails, select Store as trusted root certificate. 
 
- 
Repeat the previous steps to import other certificates if needed. 
- 
Click  , then , then to start replaying the audit trail. to start replaying the audit trail.
 
 
    Replay encrypted audit trails from the command line
Replay encrypted audit trails from the command line 
 
The following describes how to replay an encrypted audit trail using the command line. Use this method if you want to import the private key only temporarily, or if you want to automate the process. To import the required certificates using the graphical interface of Safeguard Desktop Player, see Replay encrypted audit trails.
Prerequisites:
- 
To replay encrypted audit trails, the private key of the certificate used to encrypt the audit trail must be available on the host running the Safeguard Desktop Player. On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Current User > Personal Certificate Store. 
- 
To validate digitally-signed audit trails, the respective certificates that issued the certificates used to sign the audit trail must be available and valid on the host running the Safeguard Desktop Player. (This is the certificate set at Policies > Audit policies > Enable signing on the SPS interface.) On Microsoft Windows, the Safeguard Desktop Player can validate this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities. Note that in case of certificate chains, the whole chain must be imported in this Certificate Store. 
- 
To validate timestamped audit trails, the CA certificate of SPS must be available on the host running the Safeguard Desktop Player. (This is the CA certificate of SPS set at Basic Settings > Management > SSL Certificates > CA X.509 Certificate.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities. 
The certificates and the private keys must be available as a file in PEM format, other formats are not supported. Note that on Microsoft Windows, you cannot import CA certificates from a shared drive. In this case, copy the certificate to a local folder and import it from there.
NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.
 
TIP: One Identity recommends using 2048-bit RSA keys (or stronger).
  
To replay an encrypted audit trail using the command line
Start a command prompt and navigate to the installation directory of Safeguard Desktop Player. By default, it is C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\ on Microsoft Windows platforms, ~/SafeguardDesktopPlayer on Linux, and /Applications/Safeguard Desktop Player.app/Contents/Resources/ on MacOS.
- 
- 
If the private key is password-protected, execute the following command: player --key <path\to\your\private-key.pem>:<password-to-the-private-key> For example, if the private key file is C:\temp\my-key.pem and its password is secret, the command is player --key C:\temp\my-key.pem:secret Otherwise, use the following command: player --key <path\to\your\private-key.pem> 
- 
If the audit trail is timestamped or signed, you must have the proper certificate to validate the audit trail. Include the path to the certificate in the command line when starting the Safeguard Desktop Player: player --cert <path\to\the\certificate.pem> --key <path\to\your\private-key.pem>:<password-to-the-private-key> 
 
- 
Open the encrypted audit trail. The Safeguard Desktop Player will attempt to decrypt it with the private key you provided. If decryption is successful, you can replay the audit trail. Alternatively, you can specify the audit trail to open from the command line, for example: player --cert <path\to\the\certificate.pem> --key <path\to\your\private-key.pem>:<password-to-the-private-key> <path\to\audit-trail.zat> 
 
    Replay audit files in follow mode
Replay audit files in follow mode 
 
The following describes how to follow active connections in semi-real time.
Prerequisites:
To be able to follow active connections, you must be permitted to authorize the sessions of the relevant connection policy. For details on how you can configure that, see "Configuring four-eyes authorization" in the Administration Guide.
Every time you open an .srs file in Safeguard Desktop Player for replay, you are required to authenticate yourself to SPS through the user interface of Safeguard Desktop Player. To be able to access SPS and follow active sessions, you must have:
On Microsoft Windows, the Safeguard Desktop Player retrieves the SSL certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities.
On Linux or MacOS, import the SSL certificate to Safeguard Desktop Player by completing the following steps:
- 
In SPS, navigate to Basic Settings > Management > SSL certificates. 
- 
Click the certificate in the CA X.509 certificate field. 
- 
In the pop-up window that comes up, click PEM. This will download the the CA's X.509 certificate in PEM format. The certificate must be available as a file in PEM format, other formats are not supported. 
- 
In Safeguard Desktop Player, click  at the top, on the right. Select Key/Certificate import. at the top, on the right. Select Key/Certificate import.
 
- 
Click  , then select the certificate PEM file that you downloaded from SPS. , then select the certificate PEM file that you downloaded from SPS.
 
- 
Click Load. The Safeguard Desktop Player displays the details of the certificate. 
- 
Click Import. 
 
To follow active connections in semi-real time
- 
On the web interface of SPS, go to Active Connections, and click  next to the connection you wish to monitor in semi-real time. next to the connection you wish to monitor in semi-real time.
 
- 
In the Safeguard Desktop Player application, click OPEN, and select the audit trail to replay. Safeguard Desktop Player displays the sessions stored in the audit trail file.   
 
- 
Red blinking light.When the red blinking light is displayed, it indicates an ongoing, active connection. When neither the LIVE label and icon nor the red blinking light are displayed, it indicates that the connection has ended. 
- 
LIVE status indicator.The indicator shows three different states: 
- 
 When it is completely red, it indicates that the connection is active and there is some user interaction on the client. When it is completely red, it indicates that the connection is active and there is some user interaction on the client.
 
- 
 When the LIVE label is red but the icon is half red, half black, it indicates that the connection is active but there is no user interaction on the client. When the LIVE label is red but the icon is half red, half black, it indicates that the connection is active but there is no user interaction on the client.
 
- 
When neither the LIVE label and icon nor the red blinking light are displayed, it indicates that the connection has ended. 
 
- 
File size.Displays the size of the .zat file loaded. In the case of an active, live connection, the size continuously increases. 
 
- 
Click the thumbnail to start replaying the audit file. Alternatively, click the  icon next to the channel you want to replay. icon next to the channel you want to replay.
 
- 
The replay window opens.   
 
- 
Terminate.ate the session you are monitoring if you notice some user action that poses a security risk. 
- 
LIVE status indicator.The indicator shows two different states: 
- 
When the Safeguard logo is animated, it indicates that the connection is active and there is some user interaction on the client. 
- 
When the Safeguard logo is static, it indicates that the connection is active but there is no user interaction on the client. 
 
 The color of LIVE indicates whether the displayed frame is live (blue) or an earlier frame (gray). If you stopped the playback or rewound it, return to the live stream by clicking on LIVE. 
TIP: When you are replaying terminal-based audit trails, for example, SSH or TELNET, you can change the font size of the displayed text by holding down the Ctrl key and scrolling your mouse wheel. 
 When the session ends, a  button is displayed. On clicking this button, the player reverts to "normal" replay mode, with options such as changing replay speed, or the seeker becoming available again. button is displayed. On clicking this button, the player reverts to "normal" replay mode, with options such as changing replay speed, or the seeker becoming available again.
 
 
    Search in the content of the current audit file
Search in the content of the current audit file 
 
Safeguard Desktop Player allows you to search in the contents of the recorded audit trails, for example, in commands that the user executed in the session, or to find a specific text that was displayed on the screen. 
You can also search in the contents of the audit trails for trails of graphical sessions created and indexed with SPS 6.0. 
To search in the content of an audit file
- 
In the Safeguard Desktop Player application, click OPEN, and select the audit trail to replay. If the audit trail is encrypted, see Replay encrypted audit trails. Safeguard Desktop Player displays the sessions stored in the audit trail file.   
 
- 
Click SEARCH and enter your search keywords into the Search in content field. Note that Safeguard Desktop Player creates the index of the content when opening the file, and searching is disabled until creating the index is finished. Depending on the length of the audit trail, this can take several minutes. Safeguard Desktop Player displays the search results and highlights the periods of the audit trail when the search keywords were visible. For details on the search syntax, see Search query examples. Click  to replay the audit trail. To search while replaying an audit trail, click the magnifying glass icon. to replay the audit trail. To search while replaying an audit trail, click the magnifying glass icon.