Configure event response policies

You can send an email alert when a session start is detected and take the following actions in response to logged events in recorded sessions:

• Send email alerts
• Start screen recording immediately (with or without lossy screen recording enabled)
• Lock session
• Log off session
• Disconnect session

The only system-defined event response policy is Do not respond. You can create custom event response policies as needed. Only one event response policy can be active at a time. By default, there is no active event response policy.

Note:

After you create or activate an event response policy, the policy applies to all Session Recording servers of the selected site. You can create and activate separate event response policies for different sites.

System-defined event response policy

Session Recording provides one system-defined event response policy:

• Do not respond. By default, no action is taken in response to logged events in your recordings.

Create a custom event response policy

1. Click Add policy.
2. Name and describe your new policy.

3. Click Add Rule.

   

4. Name and describe your new rule.

5. Select Email alert when a session start is detected or Trigger response actions when a session event is detected based on your needs.

   

6. (Optional) Click Configure event triggers and responses to specify logged events that can trigger the following response actions:

   • Send email alert
   • Start screen recording
   • Lock session
   • Log off session
   • Disconnect session

   

   Note:

   You must select the event types that the active event detection policy logs.

   You can set up to seven event triggers for each policy rule. You can define your event triggers on the Description row or leave the row empty. Your defined description of an event trigger is provided in the alert emails if you have Send email selected and events of the type are logged. If you have Start screen recording selected, dynamic screen recording automatically starts when certain events occur during an event-only recording.

   For a complete list of supported event types, see the following table.

   Event type	Dimension	Option
   App Start
   	App name	Includes/Equals/Matches
   	Full command line	Includes/Equals/Matches
   App End
   	App name	Includes/Equals/Matches
   Top Most
   	App name	Includes/Equals/Matches
   	Windows title	Includes/Equals/Matches
   Web Browsing
   	URL	Includes/Equals/Matches
   	Tab title	Includes/Equals/Matches
   	Browser name	Includes/Equals/Matches
   File Create
   	Path	Includes/Equals/Matches
   	File size (MB)	Greater than/Between/Smaller than
   File Rename
   	Path	Includes/Equals/Matches
   	Name	Includes/Equals/Matches
   File Move
   	Source path	Includes/Equals/Matches
   	Destination path	Includes/Equals/Matches
   	File size (MB)	Greater than/Between/Smaller than
   File Delete
   	Path	Includes/Equals/Matches
   	File size (MB)	Greater than/Between/Smaller than
   CDM USB
   	Drive letter	Equals
   Generic USB
   	Device name	Includes/Equals/Matches
   Idle
   	idle duration (Hrs)	Greater than
   File Transfer
   	File source	Equals (“host” or “client”)
   	File size (MB)	Greater than
   	File name	Includes/Equals/Matches
   Registry Create
   	Key name	Includes/Equals/Matches
   Registry Delete
   	Key name	Includes/Equals/Matches
   Registry Set Value
   	Key name	Includes/Equals/Matches
   	Value name	Includes/Equals/Matches
   Registry Delete Value
   	Key name	Includes/Equals/Matches
   	Value name	Includes/Equals/Matches
   Registry Rename
   	Key name	Includes/Equals/Matches
   User Account Modification
   	User name	Includes/Equals/Matches
   Unexpected App Exit
   	App name	Includes/Equals/Matches
   App Not Responding
   	App name	Includes/Equals/Matches
   New App Installed
   	App name	Includes/Equals/Matches
   App Uninstalled
   	App name	Includes/Equals/Matches
   RDP Connection
   	IP address	Includes/Equals/Matches
   Popup Window
   	Process name	Includes/Matches
   	Window content	Includes/Equals/Matches
   Performance Data
   	CPU usage (%)	Greater than
   	Memory usage (%	Greater than
   	Net send (MB	Greater than
   	Net receive (MB)	Greater than
   	RTT (ms)	Greater than
   Clipboard Operation
   	Data type	Equals (Text/File/Bitmap)
   	Process name	Includes/Equals/Matches
   	Content	Includes/Equals/Matches

7. (Optional) Set email recipients and the email sender properties.

   For an example email alert, see the following screen capture:

   

   Tip:

   Clicking the playback URL opens the playback page of the recorded session in the on-premises web player. Clicking here opens the All recordings page in the on-premises web player.

   1. Type email addresses for the alert recipients in the Email recipients section.

   2. Configure outgoing email settings in the Session Recording Server Properties.

      

      Note:

      If you select more than two options in the Email title section, a warning dialog appears, saying that the email subject might be too long. After you select Allow sending email notifications and click Apply, Session Recording sends an email to verify your email settings. If any setting is incorrect, for example, an incorrect password or port, Session Recording returns an error message with the error details.

      

      Your email settings need about five minutes to take effect. To have your email settings take effect immediately or fix the issue that emails are not sent according to the settings, restart the Storage Manager (CitrixSsRecStorageManager) service. Also, restart the Storage Manager service if you upgrade to the current release from Version 2006 and earlier.

   3. Edit registry for accessing the on-premises web player.

      To make the playback URLs in your alert emails work as expected, browse to the registry key at HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\SmartAuditor\Server and do the following:

      • Set the value data of LinkHost to the URL of the domain that you use to access the on-premises web player. For example, to access an on-premises web player at https://example.com/webplayer/#/player/, set the value data of LinkHost to https://example.com.

      • Add a value called EmailThreshold, and set its value data to a number in the range of 1 through 100. The value data determines the maximum number of alert emails that an email sending account sends within a second. This setting helps slow down the number of emails that are being sent and thus reduces the CPU usage. If you leave the value data unspecified or set it to a number out of range, the value data falls back to 25.

      Note:

      • Your email server might treat an email sending account as a spam bot and thus prevent it from sending emails. Before an account is allowed to send emails, an email client such as Outlook might request you to verify that the account is used by a human user.

      • There is a limit for sending emails within a given period. For example, when the daily limit is reached, you cannot send emails until the start of the next day. In this case, ensure that the limit is more than the number of sessions being recorded within the period.

8. In the Recording options section, set the parameters for dynamic screen recording:

   • Screen recording time span after an event is detected (min): You can configure the time duration (minutes) that you want to record the screen after events are detected. If you leave the value unspecified, screen recording continues until the recorded sessions end.
   • Screen recording time span before an event is detected (sec): You can configure the time duration (seconds) of the screen recording you want to keep before events are detected. This feature is available only for virtual desktop sessions. The value ranges from 1 to 120. Setting the value to any of 1 through 10 makes the value 10 effective. If you leave the value unspecified, the feature does not take effect. The actual length of the screen recording that Session Recording keeps might be a little longer than your configuration.
   • Enable lossy screen recording: You can specify whether to enable lossy screen recording when a session event is detected. Lossy screen recording lets you adjust compression options to reduce the size of recording files and to accelerate navigating recorded sessions during playback. This feature is available with Session Recording 2308 and later. For more information, see Enable or disable lossy screen recording.

9. Specify delay before session operations begin (sec). If you specify any of the following actions in response to logged events in recorded sessions, you can notify users of the actions in advance:

   – Lock session
   – Log off session
   – Disconnect session

   Note:

   If you set the value to 0, it means that users are not notified when you lock, log off, or disconnect them from their virtual sessions. To notify users, set an appropriate value.

   For an example notice, see the following screen capture:

   

10. Select and edit the rule scope.

    In a way similar to when you create a custom recording policy, you can choose at least one of the following items to create the rule scope:

    • Users and user groups. Creates a list of users and groups to which the responses of the rule apply.
    • Published applications and desktops. Creates a list of published applications and desktops to which the responses of the rule apply.
    • Delivery groups and VDA machines. Creates a list of delivery groups and VDA machines to which the responses of the rule apply.
    • IP addresses and IP address ranges. Creates a list of IP addresses and ranges of IP addresses to which the responses of the rule apply. The IP addresses mentioned here are the IP addresses of the Citrix Workspace apps.

    Note:

    When a session or an event meets more than one rule in a single event response policy, the oldest rule takes effect.

11. Follow the wizard to complete the configuration.
12. Activate the new event response policy.

Video about configuring policies