Capturing and replaying sessions

If you have an audit installation available and enable auditing, the connector captures all of the secure shell and remote desktop activity in the sessions you open from the administrative portal. The connector sends the recorded sessions to the collector service, which forwards the sessions to the audit store database. You can play back the recorded sessions using Audit Analyzer. You can also use Audit Analyzer to create queries and reports based on session activity and to review, update, or delete the sessions.

If you have multiple connectors, the connector used to record the session is selected randomly when you start the SSH or RDP session. If the connector with an active session stops running, the session is disconnected. If the connector is recording a remote desktop session when it stops, you can manually reconnect to the target system using a different connector to resume the session. However, the session segments are recorded in the audit store database as two separate audit sessions. The connector will spool audited session activity if it can’t connect to any collectors.

You must have the required Privileged Access Service components installed to audit the sessions you open from the Admin Portal. If you have an older version of Server Suite, you must upgrade before enabling auditing using the connector.

For more information about managing the audit installation, querying and reviewing session activity, and other auditing-specific topics, see the Auditing Administrator’s Guide.