achinayoung_wau Respected Contributor.
Respected Contributor.
1424 views

No .webm file available for video playback

With PAM 3.2 has anyone noticed a bug where video playback is not working because the corresponding .webm file is not available? Looking at /opt/netiq/npum/logs/unifid.log, I can see that Audit Reporting in the FM Console shows an entry for the session as having video capture but when I try to inspect the video, I am informed that no video file is available. When I click on the entry in the Command Control report, and then click on Output, I see a screenshot. Looking at /opt/netiq/npum/logs/unifid.log for the Audit ID, I do not see any entries looking like the following:
Thu Jul 27 11:24:58 2017, 872, 1724700416, 2107, Info, recvvideo:: Received video file 'f85d11da-b1ee-4bbc-b1a3-24affd3a15e6_0000000001.webm', Copied in path : /opt/netiq/npum/service/local/audit/video/capture/


This leads me to believe the client never sent the .webm file to the PAM server.
0 Likes
8 Replies
AutomaticReply Absent Member.
Absent Member.

Re: No .webm file available for video playback

achinayoung,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit https://www.microfocus.com/support-and-services and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.microfocus.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.microfocus.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.microfocus.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Micro Focus Forums Team
http://forums.microfocus.com



0 Likes
Micro Focus Expert
Micro Focus Expert

Re: No .webm file available for video playback

Is it still unavailable for replay? Sometimes it can take a couple minutes or so for the video playback to be encoded and delivered to the Audit Manager for playback. So there is some reasonable delay that should be anticipated for this. Otherwise, I'd check DEBUG logs of agent for any delivery failures that may be logged here. Also, please verify in the Reporting Console that the session was marked for Video Capture.
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: No .webm file available for video playback

tdharris;2463449 wrote:
Is it still unavailable for replay? Sometimes it can take a couple minutes or so for the video playback to be encoded and delivered to the Audit Manager for playback. So there is some reasonable delay that should be anticipated for this. Otherwise, I'd check DEBUG logs of agent for any delivery failures that may be logged here. Also, please verify in the Reporting Console that the session was marked for Video Capture.


1. The session is definitely marked for video capture.
2. I looked at the unifid.log file on the Windows server I am attempting to capture RDP sessions for. I tested 7 sessions from 7/27-8/15. For the sessions where I can see the video playback, the unifid.log file has entries like:
Thu Jul 27 09:51:44 2017, 778, 2640, 2008, Info, Monitor audit session for:
S-1-5-21-469235804-2412821147-3039076810-13442(d9d869e6-be26-c148-90b1-a3e47aec4739)
Thu Jul 27 09:51:44 2017, 778, 5540, 2008, Info, Session match found for
S-1-5-21-469235804-2412821147-3039076810-13442(d9d869e6-be26-c148-90b1-a3e47aec4739)
Thu Jul 27 09:51:57 2017, 106, 5540, 2008, Info, Audited Video file =
'd9d869e6-be26-c148-90b1-a3e47aec4739_0000000001.webm'
Thu Jul 27 09:51:57 2017, 371, 5540, 2008, Info, File 'C:\Program
Files\NetIQ\npum\service\.work\d9d869e6-be26-c148-90b1-a3e47aec4739_0000000001.webm' send to audit manager.
Thu Jul 27 09:51:57 2017, 402, 5540, 2008, Info, temp video file deleted: 'C:\Program
Files\NetIQ\npum\service\.work\d9d869e6-be26-c148-90b1-a3e47aec4739_0000000001.webm'

For sessions where there is no video playback, I only see two entries like the following:
Tue Aug 15 10:26:09 2017, 399, 11116, 2008, Info, Monitor audit session for:
S-1-5-21-469235804-2412821147-3039076810-137961(cadaf0e4-4160-e94f-89fb-034e317527e2)
Tue Aug 15 10:26:09 2017, 399, 9424, 2008, Info, Session match found for
S-1-5-21-469235804-2412821147-3039076810-137961(cadaf0e4-4160-e94f-89fb-034e317527e2)
3. Even when the "Command Keystroke Report" has an image, it doesn't necessarily mean the .webm file is available.

Is the "unifid.log" the DEBUG log? If so, it is not showing any indication of a failure with any of the session ID's where video capture was not available.
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: No .webm file available for video playback

NOTE: The above issue is seen mostly with RDP Direct sessions.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: No .webm file available for video playback

I have seen recently where PAM 3.2 was in use on an Audit Manager, but the agent within that audit zone was still some previous version. The Audit Manager was anticipating .webm format audit videos, but the agent was delivering .flv video files because it wasn't upgraded to 3.2. This resulted in a .webm video file not being able to be found from the Audit Manager, but I believe the .flv video files were there. Perhaps just check quickly that the agents / packages have all been upgraded to 3.2 to support .webm format.

Also, you could verify if the following file exists on the Audit Manager (no funky ownership or permissions when compared to other audit video files):
/opt/netiq/npum/service/local/audit/video/capture/f85d11da-b1ee-4bbc-b1a3-24affd3a15e6_0000000001.webm

Also, are there other .flv video files there that have not yet been converted to .webm? Any recent ones that shouldn't be .flv?

I'd also suggest setting logs to DEBUG for the Agent and Audit Manager when looking at the unifid.log. The unifid.log will be debug when set to be so in the Hosts Console.

I suspect one of the above suggestions will help point to an issue; however, if still uncertain, I'd recommend opening up a Service Request.
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: No .webm file available for video playback

tdharris;2464503 wrote:
I have seen recently where PAM 3.2 was in use on an Audit Manager, but the agent within that audit zone was still some previous version. The Audit Manager was anticipating .webm format audit videos, but the agent was delivering .flv video files because it wasn't upgraded to 3.2. This resulted in a .webm video file not being able to be found from the Audit Manager, but I believe the .flv video files were there. Perhaps just check quickly that the agents / packages have all been upgraded to 3.2 to support .webm format.


We started with 3.2 so no chance of an older version.

tdharris;2464503 wrote:
Also, you could verify if the following file exists on the Audit Manager (no funky ownership or permissions when compared to other audit video files):
/opt/netiq/npum/service/local/audit/video/capture/f85d11da-b1ee-4bbc-b1a3-24affd3a15e6_0000000001.webm


This file is from the original message but this was an example of a video file that was sent over so yes, it does exist. For the IDs where no video playback is available, no such .webm file exists.

tdharris;2464503 wrote:
I'd also suggest setting logs to DEBUG for the Agent and Audit Manager when looking at the unifid.log. The unifid.log will be debug when set to be so in the Hosts Console.


Ok, just did this. Let's see what happens.

tdharris;2464503 wrote:
I suspect one of the above suggestions will help point to an issue; however, if still uncertain, I'd recommend opening up a Service Request.


Looks like we'll have to do this.
0 Likes
achinayoung_wau Respected Contributor.
Respected Contributor.

Re: No .webm file available for video playback

I did some more digging and I think the issue is a permissions problem. The way PAM provides video capture is to create a screen snapshot of the running session and save as a BMP file. Periodically, these BMP files are are processed by ffmpeg to create a .WEBM file. This .WEBM file is then transferred to the Audit Manager. The BMP files are created on the local Windows server in \Program Files\NetIQ\npum\service\.work\<session id>.

Video capture works great for users with and without domain Administrator privileges when using RDP Relay. Considering RDP Relay logs the user in as the Administrator, there is no problem writing to \Program Files\NetIQ\npum\service\.work\<session id>. However, when using RDP Direct sessions, the user is logged in under their username. If the user as domain Administrator privileges, there is no problem writing to \Program Files\NetIQ\npum\service\.work\<session id>. However, if the user does not have Administrator privileges, I do not see .BMP files under \Program Files\NetIQ\npum\service\.work\<session id> on Windows Server 2008R2. I do see the .BMP files on Windows Server 2012R2 however.

So, do I need to do something on Windows 2008R2 to solve this? Or is this a bug in PAM on 2008R2? Odd that the <session id> directory can be created under \Program Files\NetIQ\npum\service\.work but the .BMP files cannot. Looks like a bug to me.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: No .webm file available for video playback

Hmm, interesting. I went ahead and tested this on my Windows 2008R2 server with PAM 3.2. I created a regular non-admin user with Remote Desktop privileges only. I also gave explicit Deny rights for this user to the ../service/.work directory where the screen capture process takes place. In another session (non video-captured session), I monitored the processes in Task Manager. I noticed both the screen capture and ffmpeg processes were being ran as 'SYSTEM' and not the particular user logged in to Direct-RDP and I was able to review the session recording in the Reporting Console after a brief time. The non-admin direct-rdp user's permissions to this .work folder doesn't appear to make any difference with the video capture process as far as I can tell.

Sometimes the hierarchy of rules in the Command Control Console can have an effect on other rules. Since it is designed this way, the easiest way to test is to disable all other rules except this one specific RDP rule. Try the client direct-rdp session again with just this single rule enabled in PAM and verify that "Video Recording" is set to "yes" for this session in the Reporting Console after the session has been started. Give at least a few minutes for an audit video to arrive to the Audit Manager before trying to view the video playback for this session.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.