How Replay Works

Replay requires a source ST appliance and a destination LX appliance to be configured in a Management Station relationship.

The ST appliance must be a Management Station that manages the LX appliance. The Management Station relationship ensures that you manage Replay sessions correctly.

Warning: When using Replay, the LX appliance must not be set up as a Management Station. If the configuration is not correct, Replay will not work.
Note: Archived real-time files on the source ST appliance are always rediscovered during a Replay session whether or not a search filter is used. Rediscovering real-time files lets additional devices be recognized that were not known during the initial capture by the LX or ST appliance. However, file-based logs are not rediscovered at this time.

Pulled files are always replayed as a whole file. However, real-time logs can be subjected to filtering.

The source ST appliance and destination LX appliance manage the progress of each Replay session. Therefore, if at any point a Replay session is interrupted (for example, the network goes down or the appliance service is not available):

  1. The source ST appliance keeps trying to replay data infinitely until a connection is re-established.
  2. Once the connection is re-established, the data transfer resumes where it left off. After the replay is completed, the Replay Status is updated to completed on the Replay Status tab.

How a Replay session works

  1. The scheduled Replay session starts.
  2. Replay gathers the appropriate archived data on the source ST appliance based on the Replay rules specified in the Replay session. The source ST appliance notifies the destination LX appliance how many files it is transferring.
  3. The source ST appliance transfers the appropriate archived log data to the destination LX appliance. Authentication and encryption are used only if configured for the Replay session.
  4. All log data is received by the destination LX appliance, so the LX appliance begins processing the data as new data. Log data is received by LLTCP-HTTP.
  5. After all log data is processed by the destination LX appliance, it notifies the source ST appliance that the Replay session is completed.
  6. The source ST appliances ends the Replay session and updates the status to completed.
    Note: The maximum replay number is 16. Canceled and completed replays are not included in the total number.

    The user must have Search Archived Data privileges on the ST appliance to replay the archived data. For more information on user privileges, see User Privileges.