Session Recording

Configure event response policies

You can send an email alert when a session start is detected and take the following actions in response to logged events in recorded sessions:

  • Send email alerts
  • Start screen recording immediately (with or without lossy screen recording enabled)
  • Lock session
  • Log off session
  • Disconnect session

Note:

If the Lock session action doesn’t work as expected, check the following registry keys on the VDA and ensure that there is no registry value under them or the value data is set to 0.

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

The only system-defined event response policy is Do not respond. You can create custom event response policies as needed. Only one event response policy can be active at a time.

For an example email alert, see the following screen capture:

An example email alert

Tip:

Clicking the playback URL opens the playback page of the recorded session in the web player. Clicking here opens the All recordings page in the web player.

Session Recording sends email alerts in the operating system language of your Session Recording server. However, if the operating system language of your Session Recording server is not one of the following languages that Session Recording supports, email alerts are sent in English by default:

  • English
  • French
  • German
  • Spanish
  • Japanese
  • Simplified Chinese

To customize a language to send email alerts in, find the email template called template.en.html under <Session Recording server installation path>\Bin\templates, and then change the plain text in the template to your preferred language. For example:

Setting an email template

System-defined event response policy

Session Recording provides one system-defined event response policy:

  • Do not respond. By default, no action is taken in response to logged events in your recordings.

Create a custom event response policy

  1. Log on as an authorized policy administrator to the server where the Session Recording policy console is installed.

  2. Start the Session Recording policy console. By default, there is no active event response policy.

    No active event response policy

  3. Select Event Response Policies in the left pane. From the menu bar, choose Add New Policy.

  4. (Optional) Right-click the new event response policy and rename it.

  5. Right-click the new event response policy and select Add Rule.

  6. Select Email alert when a session start is detected and Use event triggers to specify how to respond when a session event is detected based on your needs.

    Trigger response actions when a session event is detected

  7. (Optional) Set email recipients and the email sender properties.

    1. Type the email addresses for the alert recipients in the Rules wizard.

    2. Configure outgoing email settings in the Session Recording Server Properties.

      Outgoing email settings

      Note:

      If you select more than two options in the Email title section, a warning dialog appears, saying that the email subject might be too long. After you select Allow sending email notifications and click Apply, Session Recording sends an email to verify your email settings. If any setting is incorrect, for example, an incorrect password or port, Session Recording returns an error message with the error details.

      Email account cannot send messages error

      Your email settings need about five minutes to take effect. To have your email settings take effect immediately or fix the issue that emails are not sent according to the settings, restart the Storage Manager (CitrixSsRecStorageManager) service. Also, restart the Storage Manager service if you upgrade to the current release from Version 2006 and earlier.

    3. Edit the registry for accessing the web player.

      To make the playback URLs in your alert emails work as expected, browse to the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartAuditor\Server and do the following:

      • Set the value data of LinkHost to the URL of the domain that you use to access the web player. For example, to access a web player at https://example.com/webplayer/#/player/, set the value data of LinkHost to https://example.com.

      • Add a value EmailThreshold, and set its value data to a number in the range of 1 through 100. The value data determines the maximum number of alert emails that an email sending account sends within a second. This setting helps slow down the number of emails that are being sent and thus reduces the CPU usage. If you leave the value data unspecified or set it to a number out of range, the value data falls back to 25.

      Note:

      • Your email server might treat an email sending account as a spam bot and thus prevent it from sending emails. Before an account is allowed to send emails, an email client such as Outlook might request you to verify that the account is used by a human user.

      • There is a limit for sending emails within a given period. For example, when the daily limit is reached, you cannot send emails until the start of the next day. In this case, ensure that the limit is more than the number of sessions being recorded within the period.

  8. (Optional) Configure event triggers and responses.

    After you select Trigger response actions when a session event is detected, the Configure event triggers and responses button becomes available. Click it to specify logged events that can trigger the following response actions:

    • Send email alerts
    • Start screen recording immediately
    • Lock session
    • Log off session
    • Disconnect session

    Event triggers

    Note:

    If your system language is German, French, or Spanish, ensure that the horizontal resolution of your machine is equal to or larger than 1,700 pixels. Otherwise, text truncation occurs and thus the columns of the Event Triggers table are not displayed completely.

    You must select the event types that the active event detection policy logs. Click Confirm when you are finished.

    Select event types from the drop-down list and set event rules through the two dimensions that are combined using the logical AND operator. You can set up to seven event triggers for each policy rule. You can also define your event triggers in the Description column or leave the column empty. Your defined description of an event trigger is provided in the alert emails if you have Send email selected and events of the type are logged. If you have Start screen recording selected, dynamic screen recording automatically starts when certain events occur during an event-only recording. You can enable lossy screen recording and set the time spans for dynamic screen recording:

    Time spans for dynamic screen recording

    • Screen recording time span after we detect an event: You can configure how many minutes you want to record the screen after events are detected. If you leave the value unspecified, screen recording continues until the recorded sessions end.
    • Screen recording time span before we detect an event: You can configure how many seconds of the screen recording you want to keep before events are detected. This feature is available for both virtual desktop and app sessions. The value ranges from 1 to 120. Setting the value to any of 1 through 10 makes the value 10 effective. If you leave the value unspecified, the feature does not take effect. The actual length of the screen recording that Session Recording keeps might be a little longer than your configuration.

    • If you specify any of the following actions in response to logged events in recorded sessions, you can notify users of the actions by filling the Time interval between a session operation notice and its execution field:

      • Lock session
      • Log off session
      • Disconnect session

      Note:

      The field value is 0 by default, which means users are not notified when you lock, log off, or disconnect them from their virtual sessions. To notify users, set an appropriate field value.

      For an example notice, see the following screen capture:

      Session disconnection notification

    • Enable Lossy screen recording: Lossy screen recording lets you adjust compression options to reduce the size of recording files and to accelerate navigating recorded sessions during playback. For more information, see Enable or disable lossy screen recording.

    For a complete list of supported event types, see the following table.

    Event type Dimension Option
    App Start    
      App name Includes, Equals, Matches
      Full command line Includes, Equals, Matches
    App End    
      App name Includes, Equals, Matches
    Top Most    
      App name Includes, Equals, Matches
      Windows title Includes, Equals, Matches
    Web Browsing    
      URL Includes, Equals, Matches
      Tab title Includes, Equals, Matches
      Browser name Includes, Equals, Matches
    File Create    
      Path Includes, Equals, Matches
      File size (MB) Greater than, Between, Smaller than
    File Rename    
      Path Includes, Equals, Matches
      Name Includes, Equals, Matches
    File Move    
      Source path Includes, Equals, Matches
      Destination path Includes, Equals, Matches
      File size (MB) Greater than, Between, Smaller than
    File Delete    
      Path Includes, Equals, Matches
      File size (MB) Greater than, Between, Smaller than
    CDM USB
      Drive letter Equals
    Generic USB
      Device name Includes, Equals, Matches
    Idle    
      idle duration (Hrs) Greater than
    File Transfer
      File source Equals (“host” or “client”)
      File size (MB) Greater than
      File name Includes, Equals, Matches
    Registry Create
      Key name Includes, Equals, Matches
    Registry Delete
      Key name Includes, Equals, Matches
    Registry Set Value
      Key name Includes, Equals, Matches
      Value name Includes, Equals, Matches
    Registry Delete Value
      Key name Includes, Equals, Matches
      Value name Includes, Equals, Matches
    Registry Rename
      Key name Includes, Equals, Matches
    User Account Modification
      User name Includes, Equals, Matches
    Unexpected App Exit
      App name Includes, Equals, Matches
    App Not Responding
      App name Includes, Equals, Matches
    New App Installed
      App name Includes, Equals, Matches
    App Uninstalled
      App name Includes, Equals, Matches
    RDP Connection
      IP address Includes, Equals, Matches
    Popup Window
      Process name Includes, Matches
      Window content Includes, Equals, Matches
    Performance Data
      CPU usage (%) Greater than
      Memory usage (%) Greater than
      Net send (MB) Greater than
      Net receive (MB) Greater than
      RTT (ms) Greater than
    Clipboard Operation
      Data type Equals (Text, File, Bitmap)
      Process name Includes, Equals, Matches
      Content Includes, Equals, Matches
  9. Click Next to select and edit the rule criteria.

    Rule criteria

    • Users or Groups. Creates a list of users or groups to which the rule applies.
    • Published Applications or Desktop. Creates a list of published applications or desktops to which the rule applies.
    • Delivery Groups or Machines. Creates a list of Delivery Groups or machines to which the rule applies.
    • IP Address or IP Range. Creates a list of IP addresses or ranges of IP addresses to which the rule applies. The IP addresses mentioned here are the IP addresses of the Citrix Workspace apps.
    • Filter. Creates a list of smart access tags to which the rule applies. You can configure contextual access (smart access) using smart access policies on Citrix NetScaler.

      Specify tags

      Contextual access (smart access) is available for Session Recording 2402 and later. It lets you apply policies based on the user access context including:

      • The user’s location
      • IP address range
      • Delivery group
      • Device type
      • Installed applications

    Note:

    When a session or an event meets more than one rule in a single event response policy, the oldest rule takes effect.

  10. Follow the wizard to complete the configuration.
  11. Activate the new event response policy.
Configure event response policies