diff --git a/README.md b/README.md
index 921391c..7344f58 100644
--- a/README.md
+++ b/README.md
@@ -1,29 +1,50 @@
 scriptreplay_ng
 ===============
 
-Installation
--------------
-
- * Install "scriptreplay" and "recordsession" to /usr/local/sbin
- * Add /usr/local/sbin to $PATH of the user
- * Add the follwing lines via "visudo"
-
-```
-<user> ALL=(ALL) NOPASSWD: /usr/local/sbin/scriptreplay
-<user> ALL=(ALL) NOPASSWD: /usr/local/sbin/recordshell
-```
+Scriptreplay can be used to replay recorded session recorded by the linux/unix "script" tool.
+
+
+
+Installation of an audit shell
+------------------------------
+
+The following instructions describe the procedure how to install a audit shell in combination with
+the scriptreplay utility.
+Auditshell submits the typescript and the timings to syslog which prevents modification by terminal users.
+The logged information can also be forwared to secured logging servers using standard syslog logfile distribution.
+
+ * Install the following tools to /usr/local/bin
+   scriptreplay
+   helpers/auditshell
+   helpers/auditshell_create_sessionfiles
+   chown root:root /usr/local/bin/{scriptreplay,auditshell,auditshell_create_sessionfiles}
+   chmod 755 /usr/local/bin/{scriptreplay,auditshel,auditshell_create_sessionfiles}
+ * Patch an install custom "script" implementation
+   cd helpers/
+   git clone git://git.kernel.org/pub/scm/utils/util-linux/util-linux.git
+   cd util-linux.git
+   patch -p0 < ../auditshell_script.patch
+   ./autogen.sh
+   make
+   cp script /usr/local/bin/
+   chown root:root /usr/local/bin/script
+   chmod 755 /usr/local/bin/script
+ * If you like:
+    * Disable string escaping on system which are using rsyslogd (i.e. Ubuntu systems)
+    * Redirect the auditshell logs to another logfile using syslog configuration 
+ * Change shell of user
+   chsh -s /usr/local/bin/auditshell <user>
 
 
 Usage
 -----
 
- * Start session
-   ```
-sudo recordsession
-   ```
+ * Start session, and execute commands
+ * Extract session files
+   /usr/local/bin/auditshell_create_sessionfiles /var/log/messages /tmp/foo
  * Replay session
    ```
-sudo scriptreplay -t /var/log/recordshell//2013-07-08/2013-07-08_17-39-41-27336/timing.gz /var/log/recordshell//2013-07-08/2013-07-08_17-39-41-27336/typescript.gz
+scriptreplay -t /tmp/foo/2013-09-11_18-47-45.user1.11931.timing /tmp/foo/2013-09-11_18-47-45.user1.11931.typescript
    ```
 
 Documentation 
diff --git a/helpers/auditshell b/helpers/auditshell
new file mode 100755
index 0000000..9c13d17
--- /dev/null
+++ b/helpers/auditshell
@@ -0,0 +1,21 @@
+#!/bin/bash
+
+IDENT="`date --date="today" "+%Y-%m-%d_%H-%M-%S"`.`whoami`.$$"
+
+TYPESCRIPT="auditshell.typescript.${IDENT}"
+TIMING="auditshell.timing.${IDENT}"
+
+export SHELL=/bin/bash
+
+cat <<EOF
+    _   _   _ ____ ___ _____ ____  _   _ _____ _     _     
+   / \ | | | |  _ \_ _|_   _/ ___|| | | | ____| |   | |    
+  / _ \| | | | | | | |  | | \___ \| |_| |  _| | |   | |    
+ / ___ \ |_| | |_| | |  | |  ___) |  _  | |___| |___| |___ 
+/_/   \_\___/|____/___| |_| |____/|_| |_|_____|_____|_____|
+   
+
+NOTE: This shell session will be recorded                                                         
+EOF
+
+exec /usr/local/bin/script -d -f -q -t 5 5> >(logger -t $TYPESCRIPT)  2> >(logger -t $TIMING)
diff --git a/helpers/auditshell_create_sessionfiles b/helpers/auditshell_create_sessionfiles
new file mode 100755
index 0000000..2d1126c
--- /dev/null
+++ b/helpers/auditshell_create_sessionfiles
@@ -0,0 +1,44 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use FileHandle;
+
+my $file = shift();
+my $dir = shift();
+
+if ( (!defined $file) || (!defined $file) ){
+   print "auditshell_create_sessionfiles <logfile> <dir>\n";
+   exit(1);
+}
+
+open( INFILE, "<$file" ) || die "input-file '$file' could not be opened";
+
+my $fdcache = {};
+
+while (my $zeile = <INFILE>) {
+   if ($zeile =~m /auditshell\.(typescript|timing)\.(.*?): (.*)$/){
+      chomp($zeile);
+      my $type = $1;
+      my $ident = $2;
+      my $line = $3;
+
+      if ( !exists $fdcache->{$ident}){
+         $fdcache->{$ident} = {};
+         print "Open $ident.typescript\n";
+         $fdcache->{$ident}->{typescript} = FileHandle->new("> $ident.typescript");
+         print "Open $ident.timing\n";
+         $fdcache->{$ident}->{timing} = FileHandle->new("> $ident.timing");
+      }
+
+      my $fd = $fdcache->{$ident}->{$type};
+      print $fd $line."\n";
+   }
+}
+
+close(INFILE);
+
+foreach my $ident(keys %{$fdcache}){
+   close $fdcache->{$ident}->{typescript};
+   close $fdcache->{$ident}->{timing};
+}
diff --git a/helpers/etc-recordshell b/helpers/etc-recordshell
deleted file mode 100644
index 528d78e..0000000
--- a/helpers/etc-recordshell
+++ /dev/null
@@ -1,7 +0,0 @@
-# copy me to /etc/recordshell
-
-LOGDIR="/var/log/recordshell"
-LOGGING_PID="$$"
-FILEPREFIX="$LOGDIR/$(date '+%Y-%m-%d')/$(date '+%Y-%m-%d_%H-%M-%S')-$LOGGING_PID";
-EXTRA_ARGS="-c 'su -c /bin/bash $SUDO_USER'"
-
diff --git a/helpers/recordshell b/helpers/recordshell
deleted file mode 100755
index 68dabc2..0000000
--- a/helpers/recordshell
+++ /dev/null
@@ -1,65 +0,0 @@
-#!/bin/bash
-
-LOGDIR="/var/log/recordshell"
-LOGGING_PID="$$"
-FILEPREFIX="$LOGDIR/$(date '+%Y-%m-%d')/$(date '+%Y-%m-%d_%H-%M-%S')-$LOGGING_PID"; 
-CFG_FILE="/etc/recordshell"
-
-TARGET_USER="$1"
-
-#EXTRA_ARGS="-c 'su -c \"/bin/bash -l\" - $TARGET_USER'"
-EXTRA_ARGS="-c 'su -s /bin/bash - $TARGET_USER'"
-
-if [ "`whoami`" != "root" ];then
-   set -x
-   exec sudo $0 "`whoami`"
-   set +x
-fi
-
-
-if [ -z "$TARGET_USER" ];then
-   echo "$0 <target_user>"
-   exit 1
-fi
-
-if ( bash $CFG_FILE &> /dev/null );then
-   source $CFG_FILE;
-else
-   echo "error in configfile  $CFG_FILE"
-   exit 1
-fi
-
-mkdir -p $FILEPREFIX
-if [ "$?" != "0" ];then
-   echo "Unable to create directory structure $FILEPREFIX"
-   exit 1
-fi
-
-SUDO_MSG=""
-if [ -n "$SUDO_USER" ];then
-   SUDO_MSG=", (sudo user $SUDO_USER, sudo command $SUDO_COMMAND)"
-fi
-echo "*********************************"
-logger -s -t recordshell "[$LOGGING_PID] Starting logged shell session: ${FILEPREFIX}/{typescript,timing} $SUDO_MSG"
-set -x
-
-eval script $EXTRA_ARGS -e -q -f -t ${FILEPREFIX}/typescript 2>${FILEPREFIX}/timing
-set +x 
-logger -s -t recordshell "[$LOGGING_PID] Finished logged shell session: ${FILEPREFIX}/{typescript,timing} $SUDO_MSG"
-echo "*********************************"
-
-gzip ${FILEPREFIX}/typescript
-if [ "$?" != "0" ];then
-   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/typescript failed"
-else
-   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/typescript successful (MD5SUM $(md5sum ${FILEPREFIX}/typescript.gz|awk '{print $1}'))"
-fi
-
-gzip ${FILEPREFIX}/timing
-if [ "$?" != "0" ];then
-   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/timing failed"
-else
-   logger -s -t recordshell "[$LOGGING_PID] compression of ${FILEPREFIX}/timing successful (MD5SUM $(md5sum ${FILEPREFIX}/timing.gz|awk '{print $1}'))"
-fi
-logger -s -t recordshell "[$LOGGING_PID] review session with: scriptreplay -t ${FILEPREFIX}/{timing.gz,typescript.gz}"
-