Audit trails replay

If audit trails are sent to an external archive server and we need to retrieve a specific file and load it into a browser or desktop player to watch the recorded video, how can I do this? How can I identify the specific audit trail I want to play back?

  • If the Search Meta data still exists in SPS then you would still be able to replay the archived audit trail from the SPS Web UI.

    If the Search meta data no longer exits or was cleaned up from SPS then cannot search the data in SPS web UI and therefore would need to identify the audit trail file by date and time (the audit trail file name has Unix epoch time stamp in the name, example audit-scb_rdp-1717513065-0.zat) Then you can convert the time stamp 1717513065 using any Unix epoch time converter to show the actual date and time Tuesday, June 4, 2024 2:57:45 PM GMT

    Then when you open the audit trail file using Desktop Player you would see the details and be able to verify further the Connection IP addresses (Such as Client IP | SPS Server IP | Target Server IP) and the Remote Username etc.

    Thanks!

  • Great Tawfiw helpful and clear as always.

    Last doubt: the file is a "video" file that I can watch in the desktop player, right?
    if this audit trail file is cleaned up, there is no trace of this file in the web interface, correct?
    so there is no way to know what file name i need beforehand but i have to go to the external archive server and search for it there without a precise indication, correct?

    thank you very much!!

    i wish you a great time!

  • the file is a "video" file that I can watch in the desktop player, right?
    for Graphical protocols yes it would be a video recording such as RDP or SSH but some other protocols are only raw packet capture logs such as HTTP audit trails for example.

    if this audit trail file is cleaned up, there is no trace of this file in the web interface, correct?
    If the search meta data (meta data are details related to the audit file in SPS database only) gets cleaned up then yes there is no details in SPS to lookup the audit trail.

    audit trails are either saved in SPS or archived to an external storage \ archive server which would still be known to SPS as long as the meta data still exists in SPS database.

    if the audit trail was recorded on a date \ time that is older than the meta data retention in SPS then correct you would only have the audit trail file located in the archive server but no meta data in SPS so its not as easy to find the session without knowing the exact date\time of what you are looking for which you may get from SPP activity center if that was SPP initiated session for example.

    Thanks!