View RDP Replays Locally

Since RDP Replays are binary objects, and not typical logs, they must be kept in object storage systems (such as AWS S3, Azure Blob, Google Cloud Storage, etc.) and not in logging systems (such as AWS Cloudwatch, Azure Monitor, Splunk, etc.) to ensure they don't get corrupted.

In the RDP Replays documentation, instructions are given for rendering and watching replays of unencrypted RDP sessions from the Admin UI. It is also possible to render RDP sessions locally via a Docker image:

docker run --rm -ti -v ~/.sdm/logs:/logs --format 'csv' r1po3p80VaPnzSSjAobzV2RavzWW

Pointers for using the Docker image:

  • You will need the FFmpeg package installed locally in order to play RDP session videos.
  • If you have changed your SDM HOME location away from the default ~/.sdm, change that path in the above command.
  • Substitute the sample session ID in the above command with the session ID you intend to replay.
  • Completed MP4 files will be deposited in the /logs folder.

The local rendering can be done via the CLI as well, if desired:

sdm replay rdp
sdm-cli replay rdp - render a RDP session in movie format.
sdm-cli replay rdp [command options] <sessionID> <relay-log-file-path1> <relay-log-file-path2> <relay-log-file-pathN>...
--format value define the file format of the relay log file ('json' or 'csv') (default: "json")
--tmpdir value, -t value for long sessions, a larger temporary directory might be necessary for rendering (default: "C:\\Users\\sebas\\.sdm\\logs")

Only the most minimal of RDP settings are supported for RDP via strongDM. Trying to use advanced options or configurations may prevent replays from being rendered and played.