Exporting the audit trail as video
This section describes how to export an audit trail as a video file (optionally, including the accompanying subtitles).
NOTE: To export an audit trail, you must open it.
The exported files use the WEBM format with the VP8 codec. You can replay WebM videos in most modern browsers, and several media player applications. For details, see the Playing WebM Video page.
Prerequisites
To use Internet Explorer, you must install an add-on.
To export an audit trail as a video file
-
Open the audit trail in the Safeguard Desktop Player application.
If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replaying encrypted audit trails.
-
Click EXPORT > Export video.
-
If the audit trail contains multiple channels that can be replayed, select which channels you want to export.
-
To export the subtitles listing the user events that occurred in the session (window titles that appeared on the screen, commands executed, mouse activity, and keystrokes), select the Subtitle checkbox.
Figure 13: Export options
-
Click , and select the directory where you want to save the video file.
-
Click EXPORT.
Exporting the sound from an audit trail
You can enable auditing the sound that is transferred between an RDP client and the server. Using the Export audio option of Safeguard Desktop Player, you can export the input sound (the one that comes from the audited user) and the output sound (the one that is received by the audited user) into .wav files.
Prerequisites
In SPS, using the Channel Policies settings of the RDP Control option, select the Record audit trail checkbox for the Sound and the Dynamic virtual channel in the policy that you want to use for sound auditing.
For more information, see Configuring SPS to enable exporting sound from audit trails in the SPS Administration Guide.
To export the sound from an audit trail
-
Open the audit trail in the Safeguard Desktop Player application.
If the audit trail is encrypted, you need the appropriate decryption keys to open it. For details, see Replaying encrypted audit trails.
-
Click the EXPORT > Export audio... button.
-
In the Select folder window, navigate to the folder where you want to save the exported sound files of the audit trail.
The displayed dialog shows the exported files with their paths. On clicking the paths, the destination folders open. The dialog also lists the errors that occurred during the export. The sound files are saved in the following format:
-
<timestamp>_input.wav
-
<timestamp>_output.wav
Sharing an encrypted audit trail
This section describes how to share an encrypted audit trail with a third party.
NOTE: To export an audit trail, you must open it.
-
Export the audit trail as a video file
-
If you want the third party to be able to replay the audit trail with the Safeguard Desktop Player, complete the following steps. Currently you can only do this by using the command line.
Prerequisites
This procedure involves encrypting the audit trail with an encryption key that you can share with the third party. Encrypting audit trails requires an X.509 certificate in PEM format that uses an RSA key.
You will also need the audit trail file that you want to share, and the encryption key(s) required to replay it. You cannot use this procedure to encrypt an audit trail that is not already encrypted.
NOTE: Certificates are used as a container and delivery mechanism. For encryption and decryption, only the keys are used.
TIP: One Identity recommends using 2048-bit RSA keys (or stronger).
To share an encrypted audit trail with a third party
Start a command prompt and navigate to the installation directory of Safeguard Desktop Player.
By default, the installation directories on the different operating systems are the following:
-
On Microsoft Windows platforms: C:\Documents and Settings\<username>\Software\Safeguard\Safeguard Desktop Player\
-
On Linux: ~/SafeguardDesktopPlayer
-
On MacOS: /Applications/Safeguard Desktop Player.app/Contents/Resources/
-
Specify the audit trail to process its decryption key, the new audit trail file, and the new encryption key.
-
Windows: adp.exe --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>
-
Linux or MacOS: ./adp --task rekey --file <path/to/audit-trail.zat> --key <keyfile.pem:passphrase> --out <path/to/audit-trail-to-share.zat> --new-cert <path/to/new-encryption-certificate.pem>
If the audit trail is encrypted with multiple keys, repeat the --key <keyfile.pem:passphrase> option. Include the colon (:) character even if the key is not password-protected. For example:
./adp --task rekey --file /tmp/ssh-171128T1353-frobert-frobert-10.30.255.68.zat --key /tmp/indexer-certificate-key.pem: --out /tmp/shared-ssh.zat --new-cert /tmp/new-encryption-certificate.pem
-
Open the output file in the Safeguard Desktop Player and import the private key of the certificate you used to re-encrypt the audit trail. Verify that you can replay the audit trail. If it is working as expected, you can share the re-encrypted audit trail file and the private key with third parties, they will be able to replay the audit trail using the SPS application.
With the Safeguard Desktop Player application, you can replay audit trails that contain graphical X11 sessions (the contents of the X11 Forward channel of the SSH protocol). You can replay X11 sessions similarly to other audit trails, but consider the following points:
-
X11 sessions can contain several different X11 channels. For example, some applications open a separate channel for every window they display. The Safeguard Desktop Player application automatically merges these channels into a single channel, to make reviewing the sessions easier. Since these audit trails can contain SSH terminal channels as well, you can choose between replaying the SSH sessions and the X11 session in the CHANNELS > X11 section of the audit trail data.
-
If you need the list of X11 channels that the audit trail contains, they are listed in CHANNELS > X11 > channel_ids section of the audit trail data.
-
The Safeguard Desktop Player stores the fonts used to display the texts in the audit trail in the <desktop-player-installation-folder>/fonts folder.