Playing Back a Session

If you select the Enable video capture auditing option for an installation, you can replay session activity captured on audited Windows or UNIX computers.

For Windows computers, the video record captures desktop activity when users select roles with auditing enabled.

For UNIX sessions, the video record captures complete input and output typed in a UNIX shell during a session.

If the Replay option is available for a session on the right-click menu, you can view a summary of the commands executed or applications opened in the session player. You can also search for commands, parameters, or events, control the playback speed and magnification from the session player, and update the session review status.

To play back a session when video capture auditing is enabled:

  1. Open Audit Analyzer and navigate to the session.

  2. Select the session in the right pane, right-click, then select Replay to open the session player.

    The left pane of the session player displays a summary of activity similar to the indexed list. For example, if the session is a Windows session:

    You can search on any column to find events of interest. If the session is a UNIX session, you can search the full session for any text string. For example, if you are playing a UNIX session, the right pane displays the shell session and a search field.

  3. Click the Play/Pause icon () at the bottom of the session player to start or stop the session you are viewing.

    You can also fast forward session playback by clicking the Speed control icon to play back at 2x or 3x the normal speed. The dark blue playback line across the bottom of the window represents the total time of the session. You can drag the Timepoint needle to go directly to a specific point in the session.

    The Real-time icon toggles to allow you to play back a session as it was recorded in real time or move swiftly from one user action to the next. The Session point in the lower right corner identifies the date and time of the current point in the session playback.

  4. To update the session review status:

    1. Select Session > Update Review Status, and then select the desired review status.

    2. Add your review comments and click OK.

      The updated session review status displays in the session player.

  5. Close the session player.

Starting the Session Player Separately

In most cases, you start the session player from Audit Analyzer. However, you can also start the session player from a Windows command prompt using standard Windows command line options or by specifying a Uniform Resource Identifier (URI).

Using Window command line options

If you use the Windows command line to start the session play, the installation name and session ID are required. The other arguments are optional.

daplayer /installation=installation_name /id=session_guid
[/conn=auditserver_connection_string]
[/store=auditstore_ID]
[/time=timestamp]

For example:

daplayer.exe /installation=MyInstallation
/id="{f533142a-d3e8-4b4a-ae9f-86ce156bdad0}"
/store=1

If you don’t specify the audit server connection string, the session player attempts to bind to an appropriate audit management database. The session player can replay sessions from only one audit store, but the audit store ID is optional because sessions usually reside in a single audit store. An individual session can span multiple audit store databases within a single audit store. If a session spans multiple audit stores, that is, different subnets or sites, you should specify which audit store to play it from.

The timestamp option is a 32-bit integer that tells the session player to jump to the point where the event of interest occurred.

Using the Uniform Resource Identifier (URI)

The Uniform Resource Identifier identifies the session player, the installation name, and the session GUID for each session. This format is especially useful when used with the Copy Session URI menu item. The URI link can then be pasted into an email or instant messenger message. On a computer where Audit Analyzer is installed, the recipient can simply click on the URI link and the session player starts automatically.

Playing Back a Session from a Web Browser

On computers that have Audit Analyzer installed, you can also play back sessions from a web browser. Because the cda:// protocol is automatically registered on the computer with Audit Analyzer, you can use a web browser to replay a specific session. If you want to play back a session from a web browser, you can extract the installation and session identifier from the session URI.

To get the installation and session identifier:

  1. Select a session and right-click or open the session in the session player, then select File > Copy Session URI.

  2. Open a text editor and paste the session URI into the file.

  3. Delete the portion of the URI that identifies the player, so that only the installation and the object GUID remain.

    For example, if the URI looks like this:

    rep://myInstallation/b62bc280-678c-439a-aec3-09a9b7ee4395

    Remove the first part of the URI so that you only have the installation name and session identifier:

    //myInstallation/b62bc280-678c-439a-aec3-09a9b7ee4395

To play back a specific session from a web browser:

  1. Open a web browser.

  2. Type the installation name and session ID in the address bar of the web browser:

    cda://<installationName>/<session_id>

    For example:

    cda://myInstallation/b62bc280-678c-439a-aec3-09a9b7ee4395

    The session player opens and plays the specified session.