How to use the sreplay tool to view audit records and keystroke reports from the command line

  • 7021040
  • 28-Jun-2017
  • 08-Nov-2017

Environment

NetIQ Privileged Account Manager

Situation

How to use the sreplay tool to view audit records and keystroke reports from the command line
Session playback to view the keystroke logs

Resolution

For detailed information regarding the available sreplay command line options and syntax, please refer to the following:
https://www.netiq.com/documentation/privileged-account-manager-3/npam_admin/data/bvxdo3d.html

View a list of available sessions from a particular logfile in csv format (cmdctrl.db):
/opt/netiq/npum/sbin/sreplay -lC -U admin -F key,user,runas,host,runhost,time,cmd,all -g cmdctrl.db
Note: The session id is displayed as the first "key" column.

How to view the keystroke report of a particular session:
Note: Replace <key> with the unique session id obtained from the above command.
  • Replay a particular session (console / terminal playback):
    /opt/netiq/npum/sbin/sreplay -lCp -U admin -r <key>,cmdctrl.db

    Note: Please replace <key> with a valid session key from the first command above. Only terminal-type sessions will be simulated in console playback.

  • View ALL (STDIN, STDOUT, STDERR) keystroke data for a particular session (verbose):
    /opt/netiq/npum/sbin/sreplay -U admin -r <key>,cmdctrl.db -a

  • View STDIN keystroke data for a particular session:
    /opt/netiq/npum/sbin/sreplay -U admin -r <key>,cmdctrl.db -i

  • View STDOUT keystroke data for a particular session:
    /opt/netiq/npum/sbin/sreplay -U admin -r <key>,cmdctrl.db -o

  • View STDERR keystroke data for a particular session:
    /opt/netiq/npum/sbin/sreplay -U admin -r <key>,cmdctrl.db -e

Additional Information

To configure the output to be exported in csv format, please use the "-C" option with the sreplay command.

To generate a csv file, just redirect the output to a file, for example:
/opt/netiq/npum/sbin/sreplay -lC -U admin -F key,user,runas,host,runhost,time,cmd,all -g cmdctrl.db > sessions-report.csv