When you open an audit trail, the Safeguard Desktop Player application automatically validates it. You can see the results of this validation above the session details.
-
is displayed if the audit trail is valid.
-
is displayed if the timestamp or the signature is invalid, or the Safeguard Desktop Player could not decrypt the downstream traffic.
-
DOWNSTREAM
-
: The downstream traffic is available and can be replayed.
-
: The downstream traffic is encrypted and you do not have the decryption key. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.
-
UPSTREAM
-
: The upstream traffic is available and can be replayed.
-
: The upstream traffic is encrypted and you do not have the decryption key. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.
-
SIGNATURE
-
: The trail is signed and the signature is valid.
-
: The Safeguard Desktop Player could not validate the signature. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.
-
: The audit trail is not signed.
-
TIMESTAMP
-
: The trail is timestamped and the timestamp is valid.
-
: The Safeguard Desktop Player could not validate the timestamp. Click Warnings to see the fingerprint of the required certificate, and see Replay encrypted audit trails to import it.
-
: The audit trail is not timestamped.
The following describes how to replay an unencrypted audit trail.
To replay an encrypted audit trail, see Replay encrypted audit trails.
Prerequisites:
The audit trail must be available on the computer running the Safeguard Desktop Player, or you must access it on the SPS search interface from a browser on the computer running the Safeguard Desktop Player. You can use the SPS Search page to download an audit trail.
To replay an unencrypted audit trail
-
Open an audit trail to replay. Use one of the following methods:
-
Start the Safeguard Desktop Player application from the menu or the command line, then click OPEN. Select the audit trail you want to replay.
-
Navigate to the audit trail file in a file explorer (for example, Windows Explorer), and double-click on it.
-
The Safeguard Desktop Player application displays the details of the sessions stored in the audit trail file. It automatically starts to prepare (render) the audit trail for replay. You can start replaying the audit trail while rendering is in progress, this is especially useful for long audit trails.
To start playing the audit trail, click the thumbnail at the top, on the left. If the audit trail contains more than one channels that can be replayed, select the channel to replay. Alternatively, click the icon next to the channel you want to replay.
-
The replay window opens.
You can use the following hotkeys to control the replay:
-
Play/Pause: SPACE
-
Jump to previous event: p
-
Jump to next event: n
-
Enable video scaling (Scale video): Ctrl+Z
-
Toggle fullscreen replay: f
-
Decrease replay speed: [
-
Increase replay speed: ]
-
Reset replay speed :=
-
Jump backward, short, medium, long: Shift + Left Arrow,Alt + Left Arrow,Ctrl + Left Arrow
-
Jump forward, short, medium, long: Shift + Right Arrow,Alt + Right Arrow,Ctrl + Right Arrow
-
Search in trail content: Ctrl + F
-
To configure the visibility of seeker indicators for events, click . The Configure seeker indicators panel pops up:
Use the sliders to toggle between displaying and not displaying seeker indicators for a particular event type. By default, all indicators are on.
TIP: Indicator colors represent the importance of events. The darker the color, the more important the event is. In decreasing order of importance, the colors are: dark blue > light blue > white. Classifying events this way is required so that when events overlap, there is a clear guideline as to which one of the overlapping events is shown on the seeker. It is always the more important event that will have its indicator displayed.
In the case of the white indicators, which stand for on-screen changes, the degree of transparency signifies the volume of the change that occurred as compared to the previous on-screen change. Small changes are partly transparent white, while bigger ones are fully opaque white.
Application events |
Commands
Commands executed in the session-shell channel of SSH connections, or in Telnet connections. |
For terminal-based protocols |
Dark blue |
Window titles
Text appearing as window titles in the case of RDP, Citrix ICA, VNC, and X11 connections.
This option is only displayed in the case of graphical protocols. |
For graphical protocols |
User interaction |
Keystroke
Keystrokes in the session-shell channel of SSH connections, or in Telnet connections. |
For all protocols |
Light blue |
Mouse activity
Any mouse activity (clicking, scrolling, or mouse movement) in the case of RDP, Citrix ICA, and VNC connections. |
For all protocols |
Other |
On-screen changes
Any change that occurred on the screen. |
For all protocols |
White |
You can jump to interesting events by:
-
To display subtitles for the audit trail, click . By default, subtitles are not displayed.
Subtitles indicate application events (commands and window titles) and user interaction events (keystrokes and mouse activity) in the form of captions, using the colors of the event indicators.
Subtitles are generated for all audit trails.
When exporting audit trails as video files, you can choose to include the subtitles as well. For details, see Export the audit trail as video.
Selecting a keyboard layout for the subtitle in RDP and ICA trails
For RDP and ICA trails, you can select a keyboard layout depending on the language used in the trail and recreate the subtitle of the trail.
This is required, since subtitles are generated using an English keyboard (this is the default setting), however, for some languages with non-English characters this can create inaccuracies.
Figure 1: Subtitles — Selecting a keyboard layout in RDP and ICA trails
Replay encrypted audit trails
The following describes how to replay an encrypted audit trail. To replay encrypted audit trails using the command line, see Replay encrypted audit trails from the command line.
Prerequisites:
-
To replay encrypted audit trails, the private key of the certificate used to encrypt the audit trail must be available on the host running the Safeguard Desktop Player. On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Current User > Personal Certificate Store.
-
To validate digitally-signed audit trails, the respective CA certificates that issued the certificates used to sign the audit trail must be available on the host running the Safeguard Desktop Player. (This is the CA of the certificates set at Policies > Audit policies > Enable signing on the SPS interface.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities.
-
To validate timestamped audit trails, the CA certificate of SPS must be available on the host running the Safeguard Desktop Player. (This is the CA certificate of SPS set at Basic Settings > Management > SSL Certificates > CA X.509 Certificate.) On Microsoft Windows, the Safeguard Desktop Player can retrieve this certificate from Windows Certificate Store > Local Computer > Trusted Root Certification Authorities.
The certificates and the private keys must be available as a file in PEM format, other formats are not supported. Note that on Microsoft Windows, you cannot import CA certificates from a shared drive. In this case, copy the certificate to a local folder and import it from there.
NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.
One Identity recommends using 2048-bit RSA keys (or stronger).
To replay an encrypted audit trail
-
Open the encrypted audit trail. The Safeguard Desktop Player will attempt to decrypt and validate it. If the decryption or validation fails, the Safeguard Desktop Player notifies you on the screen. Click Warnings to see the fingerprint of the required certificate.
-
Import the required certificate. At the top, on the right, click > Key/Certificate import.
-
Click , then select the certificate file. The certificates and the private keys must be available as a file in PEM format. Other formats are not supported.
-
Click Load. The Safeguard Desktop Player displays the details of the certificate.
-
Select how you want to store the certificate, then click Import. On Microsoft Windows, you can import the certificates into the Windows Certificate Store and reuse them later. On other platforms, Safeguard Desktop Player stores the certificates only temporarily, and automatically deletes them when you close the application.
-
If you want Safeguard Desktop Player to delete the certificate after you close the application, select Store temporarily only.
-
If you are importing a private key to decrypt an audit trail, select Store as personal certificate.
-
If you are importing a CA certificate to validate the timestamp or signature of the audit trails, select Store as trusted root certificate.
-
Repeat the previous steps to import other certificates if needed.
-
Click , then to start replaying the audit trail.