Chat now with support
Chat with Support

One Identity Safeguard for Privileged Sessions 6.10.0 - Safeguard Desktop Player User Guide

Summary of changes Features and limitations First steps Validate audit trails Replay audit trails Replay encrypted audit trails Replay encrypted audit trails from the command line Replay audit files in follow mode Search in the content of the current audit file Search query examples Export the audit trail as video Sharing an encrypted audit trail Replay X11 sessions Export transferred files from SCP, SFTP, HTTP, and RDP audit trails Export raw network traffic in PCAP format Export screen content text Troubleshooting the Safeguard Desktop Player Install Safeguard Desktop Player Keyboard shortcuts

Getting started with the Safeguard Desktop Player

Figure 1: Safeguard Desktop Player > Details page

  1. Play the audit trail

    Click the thumbnail at the top, on the left, or click in the Channels section of the screen. To play an encrypted audit trail, you need to have the appropriate certificates. For details, see "Replay encrypted audit trails" in the Safeguard Desktop Player User Guide.

  2. Audit trail data

    The most important data about the audit trail, including usernames (if available) and IP addresses. To display more metadata about a specific channel in the audit trail, click in the list of channels. These details include the parameters available on the SPS Search page (for details, see "Using the Search interface" in the Administration Guide), and other parameters, for example, the size of the desktop or the terminal.

  3. Date of the recording

    Starting date and duration.

  4. Location of the audit trail file

    Click the path to open the folder in your file manager.

  5. Validation results

    When you open an audit trail, the Safeguard Desktop Player checks if you can access both the upstream and downstream traffic from the audit trail (you must have access at least to the downstream traffic to replay the audit trail), and validates the digital signature and the timestamp. The icon means that the trail is not signed or timestamped. For details, see "Validate audit trails" in the Safeguard Desktop Player User Guide.

  6. Terminal encoding

    When you are replaying terminal-based audit trails, for example, SSH or TELNET, you can set the character encoding of the displayed text. After changing the encoding, click Re-render trail.

  7. Replay only this channel

    Click .

  8. Export the audit trail into a video file

    The exported files use the WEBM format with the VP8 codec. For details, see "Export the audit trail as video" in the Safeguard Desktop Player User Guide.

  9. Warnings and errors

    Warnings and errors that occurred during opening and processing the audit trail file.

  10. Settings

    You can:

    • Import the required certificate to replay an encrypted audit trail. For more information, see Replay encrypted audit trails.

    • Open Preferences, which you can use to set the application language, select a keyboard layout, select how you want to display the window title events on the seeker and in subtitles, and so on. For more information, see Preferences for the Safeguard Desktop Player.

    • Open the documentation in your browser.

  11. Search in trail content

    Search in the contents of the current audit trail, for example, in commands that the user executed in the session, or to find a specific text that was displayed on the screen. Available only for terminal sessions. For details, see Search in the content of the current audit file.

  1. Play/pause replay

    Start or stop replaying the audit trail. You can also click the video to start or stop replaying.

  2. Jump to previous event

    User events that occurred in the session (such as window titles that appeared on the screen, commands executed, mouse activity, keystrokes) are marked in the seeker. Click this button to jump to the previous event.

  3. Jump to next event

    User events that occurred in the session (such as window titles that appeared on the screen, commands executed, mouse activity, keystrokes) are marked in the seeker. Click this button to jump to the next event.

  4. Current time and timestamp

    Time elapsed since the beginning of the audit trail, and the corresponding date.

  5. End time and timestamp

    Length of the audit trail and the date when the session ended.

  6. Change replay speed
  7. Seek preview

    Click the seeker to jump to a specific location in the audit trail.

  8. Scale video

    When enabled, the replayed audit trail is resized to fit the window. Clear to show the original size. You can also double-click on the video to toggle resizing.

  9. Back to the summary page

    Open the summary page of the audit trail

  10. Configure seeker indicators

    Click to configure the visibility of indicators for user events on the seeker. Seeker indicators show on a single timeline the user events that occurred during a session. Clicking a seeker indicator takes you to the relevant user event in the audit trail. User events are window titles that appeared on the screen, commands executed, mouse activity, keystrokes, and any on-screen change.

  11. Display subtitles

    Click to display subtitles for the video. Subtitles list user events as they occurred in the session. Events that are shown in subtitles are window titles that appeared on the screen, commands executed, mouse activity, and keystrokes.

  12. Search in trail content

    Search in the contents of the current audit trail, for example, in commands that the user executed in the session, or to find a specific text that was displayed on the screen. Available only for terminal sessions. For details, see Search in the content of the current audit file.

Preferences for the Safeguard Desktop Player

To configure your global preferences, for example, the application language, keyboard layout, and so on, for the Safeguard Desktop Player, navigate to (Settings) > Preferences.

Figure 2: Settings > Preferences

Language
  • Safeguard Desktop Player application language: Set the preferred language for the menus, buttons, and other controls of your Safeguard Desktop Player.

    For the changes to take effect, close and restart the Safeguard Desktop Player application.

Graphical protocols
  • Keyboard layout: In some cases, RDP and ICA audit trails do not contain their specific keyboard layouts. To avoid misspellings in the subtitles, you can set your specific layout for all your audit trails.

    For each individual audit trail, you can still override these global settings from your Details page of your Safeguard Desktop Player as shown in the example figure below:

    Figure 3: Safeguard Desktop Player > Details page > Changing the keyboard layout for individual RDP or ICA audit trails

  • Window title: Select how you want to display the window title events on the seeker and in subtitles.

    • If your audit trails are indexed, select Only indexed trails (faster). Indexed audit trails already contain the window titles, and the process of displaying the window titles is faster.

    • If you are unsure if your audit trails are indexed, select Always. Safeguard Desktop Player detects if your audit trails are indexed. If no indexed audit trail is available, Safeguard Desktop Player will start indexing the audit trails automatically.

    • If your audit trails are not indexed, select Forced detection (slower). The audit trail will be re-indexed, regardless if it had been indexed before or not, and as a result, the process of displaying the window titles is slower.

    • If you do not want to display window titles, select Never.

Terminal-based protocols
  • Terminal encoding: The character encoding of the displayed text on terminal-based audit trails, for example, SSH, Telnet or Sudo iolog. This selection will be your default encoding.

    For each individual audit trail, you can still override these global settings from your Details page of your Safeguard Desktop Player as shown in the example figure below:

    Figure 4: Safeguard Desktop Player > Details page > Changing the encoding for individual audit trails

  • Telnet codec: To deal with special characters, you can set the default codec to display text. The SPS default settings for the Telnet codec is 500 and for the Telnet alternate codec is 310.

Validate audit trails

When you open an audit trail, the Safeguard Desktop Player application automatically validates it. You can see the results of this validation above the session details.

  • is displayed if the audit trail is valid.

  • is displayed if the timestamp or the signature is invalid, or the Safeguard Desktop Player could not decrypt the downstream traffic.

  • DOWNSTREAM

    • : The downstream traffic is available and can be replayed.

    • : The downstream traffic is encrypted and you do not have the decryption key. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.

  • UPSTREAM

    • : The upstream traffic is available and can be replayed.

    • : The upstream traffic is encrypted and you do not have the decryption key. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.

  • SIGNATURE

    • : The trail is signed and the signature is valid.

    • : The Safeguard Desktop Player could not validate the signature. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.

    • : The audit trail is not signed.

  • TIMESTAMP

    • : The trail is timestamped and the timestamp is valid.

    • : The Safeguard Desktop Player could not validate the timestamp. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.

    • : The audit trail is not timestamped.

Replay audit trails

The following describes how to replay an unencrypted audit trail.

To replay an encrypted audit trail, see Replay encrypted audit trails.

Prerequisites:

The audit trail must be available on the computer running the Safeguard Desktop Player, or you must access it on the SPS search interface from a browser on the computer running the Safeguard Desktop Player. You can use the SPS Search page to download an audit trail.

To replay an unencrypted audit trail

  1. Open an audit trail to replay. Use one of the following methods:

    • Start the Safeguard Desktop Player application from the menu or the command line, then click OPEN. Select the audit trail you want to replay.

    • Navigate to the audit trail file in a file explorer (for example, Windows Explorer), and double-click on it.

  2. The Safeguard Desktop Player application displays the details of the sessions stored in the audit trail file. It automatically starts to prepare (render) the audit trail for replay. You can start replaying the audit trail while rendering is in progress, this is especially useful for long audit trails.

    To start playing the audit trail, click the thumbnail at the top, on the left. If the audit trail contains more than one channels that can be replayed, select the channel to replay. Alternatively, click the icon next to the channel you want to replay.

  3. The replay window opens.

    You can use the following hotkeys to control the replay:

    • Play/Pause: SPACE

    • Jump to previous event: p

    • Jump to next event: n

    • Enable video scaling (Scale video): Ctrl+Z

    • Toggle fullscreen replay: f

    • Decrease replay speed: [

    • Increase replay speed: ]

    • Reset replay speed :=

    • Jump backward, short, medium, long: Shift + Left Arrow,Alt + Left Arrow,Ctrl + Left Arrow

    • Jump forward, short, medium, long: Shift + Right Arrow,Alt + Right Arrow,Ctrl + Right Arrow

    • Search in trail content: Ctrl + F

  4. To configure the visibility of seeker indicators for events, click . The Configure seeker indicators panel pops up:

    Use the sliders to toggle between displaying and not displaying seeker indicators for a particular event type. By default, all indicators are on.

    TIP: Indicator colors represent the importance of events. The darker the color, the more important the event is. In decreasing order of importance, the colors are: dark blue > light blue > white. Classifying events this way is required so that when events overlap, there is a clear guideline as to which one of the overlapping events is shown on the seeker. It is always the more important event that will have its indicator displayed.

    In the case of the white indicators, which stand for on-screen changes, the degree of transparency signifies the volume of the change that occurred as compared to the previous on-screen change. Small changes are partly transparent white, while bigger ones are fully opaque white.

    Event type Shown on panel Indicator color
    Application events

    Commands

    Commands executed in the session-shell channel of SSH connections, or in Telnet connections.

    For terminal-based protocols Dark blue

    Window titles

    Text appearing as window titles in the case of RDP, Citrix ICA, VNC, and X11 connections.

    This option is only displayed in the case of graphical protocols.

    For graphical protocols
    User interaction

    Keystroke

    Keystrokes in the session-shell channel of SSH connections, or in Telnet connections.

    For all protocols Light blue

    Mouse activity

    Any mouse activity (clicking, scrolling, or mouse movement) in the case of RDP, Citrix ICA, and VNC connections.

    For all protocols
    Other

    On-screen changes

    Any change that occurred on the screen.

    For all protocols

    White

    You can jump to interesting events by:

    • Clicking any of the colored bars on the seeker.

    • Clicking the and buttons.

  5. To display subtitles for the audit trail, click . By default, subtitles are not displayed.

    Subtitles indicate application events (commands and window titles) and user interaction events (keystrokes and mouse activity) in the form of captions, using the colors of the event indicators.

    Subtitles are generated for all audit trails.

    When exporting audit trails as video files, you can choose to include the subtitles as well. For details, see Export the audit trail as video.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating