Session Recording

Configure event response policies

This policy setting lets you take the following actions in response to logged events in recorded sessions:

  • Send email alerts
  • Start screen recording immediately
  • Lock session
  • Log off session
  • Disconnect session

The only system-defined event response policy is Do not respond. You can create custom event response policies as needed. Only one event response policy can be active at a time.

For an example email alert, see the following screen capture:

An example email alert


Clicking the playback URL opens the playback page of the recorded session in the web player. Clicking here opens the All recordings page in the web player.

System-defined event response policy

Session Recording provides one system-defined event response policy:

  • Do not respond. By default, no action is taken in response to logged events in your recordings.

Create a custom event response policy

  1. Log on as an authorized policy administrator to the server where the Session Recording policy console is installed.

  2. Start the Session Recording policy console. By default, there is no active event response policy.

    No active event response policy

  3. Select Event Response Policies in the left pane. From the menu bar, choose Add New Policy.

  4. (Optional) Right-click the new event response policy and rename it.

  5. Right-click the new event response policy and select Add Rule.

  6. Select Email alert when a session start is detected and Use event triggers to specify how to respond when a session event is detected based on your needs.

    Trigger response actions when a session event is detected

  7. (Optional) Set email recipients and the email sender properties.

    1. Type the email addresses for the alert recipients in the Rules wizard.

    2. Configure outgoing email settings in the Session Recording Server Properties.

      Outgoing email settings


      If you select more than two options in the Email title section, a warning dialog appears, saying that the email subject might be too long. After you select Allow sending email notifications and click Apply, Session Recording sends an email to verify your email settings. If any setting is incorrect, for example, an incorrect password or port, Session Recording returns an error message with the error details.

      Email account cannot send messages error

      Your email settings need about five minutes to take effect. To have your email settings take effect immediately or fix the issue that emails are not sent according to the settings, restart the Storage Manager (CitrixSsRecStorageManager) service. Also, restart the Storage Manager service if you upgrade to the current release from Version 2006 and earlier.

    3. Edit registry for accessing the web player.

      To make the playback URLs in your alert emails work as expected, browse to the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartAuditor\Server and do the following:

      • Set the value data of LinkHost to the URL of the domain that you use to access the web player. For example, to access a web player at, set the value data of LinkHost to

      • Add a value, EmailThreshold, and set its value data to a number in the range of 1 through 100. The value data determines the maximum number of alert emails that an email sending account sends within a second. This setting helps slow down the number of emails that are being sent and thus reduces the CPU usage. If you leave the value data unspecified or set it to a number out of range, the value data falls back to 25.


      • Your email server might treat an email sending account as a spam bot and thus prevent it from sending emails. Before an account is allowed to send emails, an email client such as Outlook might request you to verify that the account is used by a human user.

      • There is a limit for sending emails within a given period. For example, when the daily limit is reached, you cannot send emails until the start of the next day. In this case, ensure that the limit is more than the number of sessions being recorded within the period.

  8. (Optional) Configure event triggers and responses.

    After you select Trigger response actions when a session event is detected, the Configure event triggers and responses button becomes available. Click it to specify logged events that can trigger the following response actions:

    • Send email alerts
    • Start screen recording immediately
    • Lock session
    • Log off session
    • Disconnect session

    Event triggers


    If your system language is German, French, or Spanish, ensure that the horizontal resolution of your machine is equal to or larger than 1,700 pixels. Otherwise, text truncation occurs and thus the columns of the Event Triggers table are not displayed completely.

    You must select the event types that the active event detection policy logs. Click Confirm when you are finished.

    Select event types from the drop-down list and set event rules through the two dimensions that are combined using the logical AND operator. You can set up to seven event triggers for each policy rule. You can also define your event triggers in the Description column or leave the column empty. Your defined description of an event trigger is provided in the alert emails if you have Send email selected and events of the type are logged. If you have Start screen recording selected, dynamic screen recording automatically starts when certain events occur during an event-only recording. You can set the time spans for dynamic screen recording:

    Time spans for dynamic screen recording

    • Screen recording time span after we detect an event: You can configure how many minutes you want to record the screen after events are detected. If you leave the value unspecified, screen recording continues until the recorded sessions end.
    • Screen recording time span before we detect an event: You can configure how many seconds of the screen recording you want to keep before events are detected. This feature is available only for virtual desktop sessions. The value ranges from 1 to 120. Setting the value to any of 1 through 10 makes the value 10 effective. If you leave the value unspecified, the feature does not take effect. The actual length of the screen recording that Session Recording keeps might be a little longer than your configuration.

    • If you specify any of the following actions in response to logged events in recorded sessions, you can notify users of the actions by filling the Time interval between a session operation notice and its execution field:

      • Lock session
      • Log off session
      • Disconnect session


      The field value is 0 by default, which means users are not notified when you lock, log off, or disconnect them from their virtual sessions. To notify users, set an appropriate field value.

      For an example notice, see the following screen capture:

      Session disconnection notification

    For a complete list of supported event types, see the following table.

    Event type Dimension Option
    App Start    
      App name Includes/Equals/Matches
      Full command line Includes/Equals/Matches
    App End    
      App name Includes/Equals/Matches
    Top Most    
      App name Includes/Equals/Matches
      Windows title Includes/Equals/Matches
    Web Browsing    
      URL Includes/Equals/Matches
      Tab title Includes/Equals/Matches
      Browser name Includes/Equals/Matches
    File Create    
      Path Includes/Equals/Matches
      File size (MB) Greater than/Between/Smaller than
    File Rename    
      Path Includes/Equals/Matches
      Name Includes/Equals/Matches
    File Move    
      Source path Includes/Equals/Matches
      Destination path Includes/Equals/Matches
      File size (MB) Greater than/Between/Smaller than
    File Delete    
      Path Includes/Equals/Matches
      File size (MB) Greater than/Between/Smaller than
    CDM USB    
      Drive letter Equals
    Generic USB    
      Device name Includes/Equals/Matches
      idle duration (Hrs) Greater than
    File Transfer    
      File source Equals (“host” or “client”)
      File size (MB) Greater than
      File name Includes/Equals/Matches
    Registry Create    
      Key name Includes/Equals/Matches
    Registry Delete    
      Key name Includes/Equals/Matches
    Registry Set Value    
      Key name Includes/Equals/Matches
      Value name Includes/Equals/Matches
    Registry Delete Value    
      Key name Includes/Equals/Matches
      Value name Includes/Equals/Matches
    Registry Rename    
      Key name Includes/Equals/Matches
    User Account Modification    
      User name Includes/Equals/Matches
    Unexpected App Exit    
      App name Includes/Equals/Matches
    App Not Responding    
      App name Includes/Equals/Matches
    New App Installed    
      App name Includes/Equals/Matches
    App Uninstalled    
      App name Includes/Equals/Matches
    RDP Connection    
      IP address Includes/Equals/Matches
    Popup Window    
      Process name Includes/Matches
      Window content Includes/Equals/Matches
    Performance Data    
      CPU usage (%) Greater than
      Memory usage (% Greater than
      Net send (MB Greater than
      Net receive (MB) Greater than
      RTT (ms) Greater than
    Clipboard Operation    
      Data type Equals (Text/File/Bitmap)
      Process name Includes/Equals/Matches
      Content Includes/Equals/Matches
  9. Click Next to select and edit the rule criteria.

    Similar to when creating a custom recording policy, you can choose one or more rule criteria: Users or Groups, Published Applications or Desktop, Delivery Groups or Machines, and IP Address or IP Range. For more information, see the instructions in the Create a custom recording policy section.

    Rule criteria for an event response policy


    When a session or an event meets more than one rule in a single event response policy, the oldest rule takes effect.

  10. Follow the wizard to complete the configuration.
  11. Activate the new event response policy.
Configure event response policies