Trying to view the listed session recording in the PAM UI returns the
Error: PAM-UI-2106: Failed to run the precheck for session recording: PAM-CMN-0869: Unable to locate recording data. The file may have been removed, or the mount may be down.
What are the reasons for this?
Release : Any supported release as of October 2023
Component : PRIVILEGED ACCESS MANAGEMENT
Reason for this error is that PAM's references to the recording files have become invalid for whatever reason, or the files are not located on the share mounted by the PAM node from which you are trying to view the session recording.
Assuming you have several PAM appliances in place, please check if all your appliances point to the very same storage location, i.e. the same physical share path is configured under Configuration > Logs > Session Recording > External Storage. If not, the recording only will be viewable on the node that wrote the session recording files, and nodes mounting the same session recording share path. The other way to ensure recordings are viewable is to have replication in place between the two or more configured storage locations so that the session recordings are viewable from any PAM node..
E.g. in a two nodes cluster set in both nodes the same storage share details so that both nodes can view all recordings listed.
Ensure the storage is displayed in each appliance as mounted and available.
Also, possibly the physical recording files might have been deleted for whatever reason from the store. In that case you would get this error on any of your cluster nodes.
You can configure a cluster wide purge policy on page Configuration > Logs > Session Recording > Purge Policy. Enabling this feature will purge the physical files from the store and remove references to them in the PAM database. But PAM will retain references in the database, if the files they point to are not found on the share, e.g. because they were removed by a process other than the automatic purge configured in PAM, or because they had been written to a share other than the one that currently is mounted on the node executing the purge. In that case, the recordings will continue to be listed on the Sessions > Session Recordings page, but won't be playable.
Session Recordings page does NOT show which cluster node wrote the session recording. It shows time stamps as well as user and target device information. If you have PAM integrated with a SIEM tool such as Splunk, you should find messages at the start (PAM-SPFD-0027) and end (PAM-SPFD-0028) of the recording coming from the node that wrote the session recording files.
If you determined that the files are on the mounted share and should be viewable, but you still get these errors, please open a case with PAM Support for further investigation.
Alternatively the issue can be a permission issue to the session recording files or directories. (example: only has access to top directory but not folders within it)
Especially if the client has migrated the filesystem.