Exporting the audit trail as video
This section describes how to export an audit trail as a video file (optionally, including the accompanying subtitles).
NOTE: To export an audit trail, you must open it.
The exported files use the WEBM format with the VP8 codec. You can replay WebM videos in most modern browsers, and several media player applications. For details, see the Playing WebM Video page.
Prerequisites
To use Internet Explorer, you must install an add-on.
To export an audit trail as a video file
-
Open the audit trail in the Safeguard Desktop Player application.
If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replaying encrypted audit trails.
-
Click EXPORT > Export video.
-
If the audit trail contains multiple channels that can be replayed, select which channels you want to export.
-
To export the subtitles listing the user events that occurred in the session (window titles that appeared on the screen, commands executed, mouse activity, and keystrokes), select the Subtitle checkbox.
Figure 13: Export options
-
Click 
, and select the directory where you want to save the video file.
-
Click EXPORT.
Exporting the sound from an audit trail
You can enable auditing the sound that is transferred between an RDP client and the server. Using the Export audio option of Safeguard Desktop Player, you can export the input sound (the one that comes from the audited user) and the output sound (the one that is received by the audited user) into .wav files.
Prerequisites
In SPS, using the Channel Policies settings of the RDP Control option, select the Record audit trail checkbox for the Sound and the Dynamic virtual channel in the policy that you want to use for sound auditing.
For more information, see Configuring SPS to enable exporting sound from audit trails in the SPS Administration Guide.
To export the sound from an audit trail
-
Open the audit trail in the Safeguard Desktop Player application.
If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replaying encrypted audit trails.
-
Click the EXPORT > Export audio... button.
-
In the Select folder window, navigate to the folder where you want to save the exported sound files of the audit trail.
The displayed dialog shows the exported files with their paths. On clicking the paths, the destination folders open. The dialog also lists the errors that occurred during the export. The sound files are saved in the following format:
-
<timestamp>_input.wav
-
<timestamp>_output.wav
Exporting zat and zatx files
Using the Export zat/zatx... option of Safeguard Desktop Player, you can save the trail currently opened to a selected location.
After opening an srs file, you can export its content to a zat or zatx file if all the following criteria are met:
-
The srs file does not belong to a live stream.
-
Safeguard Desktop Player has fully downloaded the content of the srs file.
-
You can replay the content of the srs file.
To export zat or zatx files from an audit trail
-
Open the audit trail in Safeguard Desktop Player.
If the audit trail is encrypted, you need the appropriate decryption keys to open it. For more information, see Replaying encrypted audit trails.
-
Select EXPORT > Export zat/zatx....
-
In the Select folder window, navigate to the folder where you want to save the exported zat or zatx files of the audit trail.
The displayed dialog shows the exported file with the trail.zat or trail.zatx file name.
Sharing an encrypted audit trail
This section describes how to share an encrypted audit trail with a third party.
NOTE: To export an audit trail, you must open it.
-
Export the audit trail as a video file
-
If you want the third party to be able to replay the audit trail with the Safeguard Desktop Player, complete the following steps. Currently you can only do this by using the command line.
Prerequisites
This procedure involves encrypting the audit trail with an encryption key that you can share with the third party. Encrypting audit trails requires an X.509 certificate in PEM format that uses an RSA key.
You will also need the audit trail file that you want to share, and the encryption key(s) required to replay it. You cannot use this procedure to encrypt an audit trail that is not already encrypted.
NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.
TIP: One Identity recommends using 2048-bit RSA keys (or stronger).
To share an encrypted audit trail with a third party
Start a command prompt and navigate to the installation directory of Safeguard Desktop Player.
By default, the installation directories on the different operating systems are the following:
-
On Microsoft Windows platforms: C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\
-
On Linux: ~/SafeguardDesktopPlayer
-
On MacOS: /Applications/Safeguard Desktop Player.app/Contents/Resources/
-
Specify the audit trail to process its decryption key, the new audit trail file, and the new encryption key.
-
Windows: adp.exe --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>
-
Linux or MacOS: ./adp --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>
If the audit trail is encrypted with multiple keys, repeat the --key <keyfile.pem:passphrase> option. Include the colon (:) character even if the key is not password-protected. For example:
./adp --task rekey --file /tmp/ssh-171128T1353-frobert-frobert-10.30.255.68.zat --key /tmp/indexer-certificate-key.pem: --out /tmp/shared-ssh.zat --new-cert /tmp/new-encryption-certificate.pem
-
Open the output file in the Safeguard Desktop Player and import the private key of the certificate you used to re-encrypt the audit trail. Verify that you can replay the audit trail. If it is working as expected, you can share the re-encrypted audit trail file and the private key with third parties, they will be able to replay the audit trail using the SPS application.
