ObserveIT
Technical Training
Ilan Sharoni
Director Technical Sales/Pre Sales
ilan@observeit.com
Copyright © 2011 ObserveIT. All rights reserved.
All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for informational purposes only.
www.observeit.com
INTRODUCTION
Agenda
• ObserveIT Architecture
• “One Click” Installation (+Unix
Installation)
• Configuring ObserveIT
• Basic Use Cases
• ObserveIT Deployment Scenarios
Lab setup – Course Specific
• Each student runs VMware Workstation
• 1 VM running Microsoft Windows Server 2008 R2
–
–
–
–
Active Directory
Microsoft SQL Server 2008 Express
ObserveIT latest version binaries
Reseller license file
• 1 VM running CentOS
• 1 VM running Ubuntu (Optional)
WHAT IS OBSERVEIT
• Platform for User Activity Monitoring.
• Acts like a security camera on your servers
• Helps meet the compliance and security
challenges
• ObserveIT captures all activity, even for
applications that do not produce their own
internal logs.
• Identity Theft Detection
• Shared Account handling
• Key Logger
OBSERVEIT ARCHITECTURE
ObserveIT Architecture
• client/server
• scalable
• distributable software application.
It consists of four components:
–
–
–
–
ObserveIT Agent (s)
ObserveIT Application Server (s)
ObserveIT Web Management Console
ObserveIT Database Server
ObserveIT Agent
Application Server
Web Console
Database Server
ObserveIT Admin
ObserveIT Agent - Recording
•
•
•
•
Record user activity (Meta Data + Screen Capture)
Runs on Windows and Unix
Send recorded information to “ObserveIT Application Server”
Recording is based on “Recording Policy”
ObserveIT Agent
Application Server
Web Console
Database Server
ObserveIT Admin
ObserveIT Application Server
• Manage multiple Agents
• Receives user activity information from Agent
• Stores record data in centralized database (sql server or
filesystem)
ObserveIT Agent
Application Server
Web Console
Database Server
ObserveIT Admin
ObserveIT Web Console
• IIS Web application
• Main Features:
– view stored sessions
– Configure “Recording” Policy
– Configure “Access Control” Policy
ObserveIT Agent
Application Server
Web Console
Database Server
ObserveIT Admin
ObserveIT Databases
• Support Both Microsoft SQL Server databases and Filesystem
storage
• Data is secured and digitally signed and encrypted
• Data can be archived
Supported Platforms - Agents
• Windows :
– Windows 2000 - 2008 Server
– Vista, XP, Windows 7
• Unix
– Solaris 10 u4-u10
– RHEL CentOS 5.4,5.5,5.6, 6.x
– Ubuntu 10.0.4
– AIX 5.3
Supported Platforms Application Server
• Windows 2003 Server
• Windows 2008 Server
• .NET 2.0
• IIS 6.0 or 7.0
OBSERVEIT –
DEMO
(THE INSTRUCTOR WILL DO A 30 MINUTES
DEMO OF THE PRODUCT)
OBSERVEIT –
“ONE CLICK” INSTALLATION
Installing ObserveIT
• The "One Click" installation method is the easiest way to deploy
ObserveIT
• If needed, each of the ObserveIT components can be installed
separately as part of a custom installation
• Installation order:
– Database creation
– Web Management Console server
– Application server
– Windows Agents
“One Click” Installation
• To run the ObserveIT “One Click” installer, run the Setup.exe
file.
• In the main installation screen
there are 3 separate
configuration sections:
– SQL Server settings
– Web applications (Web
Management console and
Application server) settings
– Licensing
• Installation will also install an
Agent locally.
Database
The following databases will be created
• ObserveIT
• ObserveIT_Data
• ObserveIT_Archive_1
• ObserveIT_Archive_template
The following user will be creates:
ObserveITUser (do not delete or change the password !!)
Hands on
• VM Setup and ObserveIT “One Click” installation
• Follow Student Guide sections
1 – introduction
2 - Prerequisites & System Requirements
3 - One-Click Installation
5.11 – Installation ObserveIT Agent on CentOS
5.12 – Installation ObserveIT Agent on Ubuntu
Length: 45 minutes
Configuring ObserveIT
• Presentation:
“ObserveIT_user_Training_guide__Configuring_ObserveIT_<date>.PPT”
RECORDING AND WEB CONSOLE USAGE BASIC USE CASES
Logging on to the Web Console
• Use the following URL to connect to the ObserveIT Web
Management Console:
• http://servername:4884/ObserveIT
• If this is your first time using the ObserveIT Web
Management Console, you
will be prompted to change
the default "Admin"
password.
The ObserveIT Web Console – Sessions browser
• Areas to replay sessions and study the recorded
data:
–
–
–
–
Server Diary
User Diary
Search
Reports
Windows User Activity recording
• Agent will record users and applications
that are specified in the recording policy
• Only user activity is recorded
• User Idle time is not recorded – Movie,
script
• Video Analysis contains “Windows Tile” and
“Application Name”
Unix User Activity recording
• Agent will record users that are specified in
the recording policy
• All SSH in/out is recorded (not related to
user activity)
• Idle time – relevant for session timeout
only.
• Video Analysis contains “System Calls” and
“Function Calls”
The trainer will show demo of the :
1. reports
2. search
Hands on
• Basic use cases
• Follow Student Guide section :
4. Basic Use Cases
4. 1
4.2
5.13
5.14
Simulating User Activity
Auditing the User Activity
Simulate User Activity on Unix
View Linux Recorded Session
Length: 60 minutes
OBSERVEIT DEPLOYMENT SCENARIOS
ObserveIT Deployment Scenarios
• A typical ObserveIT installation consists of multiple monitored
servers (or Agents), each installed on a separate physical or
virtual Windows-based or Unix-based operating system.
• There are 4 typical types of deployment scenarios:
–
–
–
–
Small deployment
Medium to large deployment
High-Availability deployment
Terminal/Citrix Remote Access gateway deployment
Small Deployment
• Less than 100 servers
• 5-10 administrators in a single data
center.
• The Application and the Web
Management Servers will be installed
on the same platform
• Database Server can be installed on
the same platform (“All in one”).
Small Deployment
Agent
HTTP Traffic
Agent
Agent
HTTP Traffic
“All in one”
Database Server
Application Server
Web Console
ObserveIT Admin
Medium to Large Deployment
• 100-1000 Servers
• Application Server + Web Console on same
machine
• Microsoft SQL Server on separated machine
• If needed, customer’s existing SQL Server
can be used, or a new instance can be
created.
• ObserveIT Events, Metadata and
Configuration are stored in SQL Server
• Screens/Slides stored on File System
Medium to Large Deployment
Agent
HTTP Traffic
Agent
SQL Traffic
Application Server
Web Console
Database Server
HTTP Traffic
Agent
RAID
network
File System
ObserveIT Admin
High Availability Deployment
•
•
•
•
•
Multiple Application Servers
Using “Load Balancer” or “Round Robin”
Cluster-based implementation of Microsoft SQL Server.
SQL Server will most likely be using a dedicated storage device.
ObserveIT recorded videos will be saved on RIAD Shared
network device
High Availability Deployment
DNS Records:
oitsrv A 192.168.100.11
oitsrv A 192.168.100.12
Round Robin enabled and
record cache set to 0
DNS Server
Agent
SQL
192.168.100.11
Active Application Server 1
SQL Traffic
SQL
Agent
HTTP Traffic
192.168.100.12
Active Application Server 2
Agent
MS SQL Failover Cluster
High Availability Deployment
DNS Records:
oitsrv A 192.168.100.10
*Offline Mode enabled
DNS Server
Agent
SQL
Active Application Server 1
HTTP Traffic
SQL Traffic
192.168.100.10
SQL
Agent
Active Application Server 2
MS SQL Failover Cluster
Load Balancing Cluster
Agent
RAID
network
File System
TS/Citrix Remote Access Gateway Deployment
• Remote connections will connect to the Terminal Server(s) or
Citrix Server(s).
• On these machines, only the applications required for the
remote users' work will be published.
• The ObserveIT Agent will be installed on the Terminal Server(s)
or Citrix Server(s), capturing all remote sessions on these
machines.
• Visual recording will be available for all the remote users'
actions.
• Less Metadata will be available for the recorded sessions.
Gateway Jump-Server Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Corporate Servers
(no agent installed)
ObserveIT
Management Server
45
Hybrid Deployment
Corporate Servers
SSH
PuTTY
(no agent installed)
MSTSC
Gateway
Server
Corporate Desktops
Internet
(no agent installed)
ObserveIT
Agent
Remote and local users
Direct login
(not via gateway)
Sensitive production servers
(agent installed)
ObserveIT
Management Server
46
PUPM Active-X architecture
PUPM Server
10.2.56.78
User desktop Machine
10.2.56.74
Login to this machine only
ObserveIT Agengt
CAB Transfer
Machine “17” is
in “My Privileged
Accounts” list in
the PUPM server
RDP to 10.2.3.17
OIT Server 10.2.56.76
Contains the
installation CAB
Dima W2003 machine
10.2.3.17
Integration with Active Directory
Authentication requirement:
• Web Console user authentication
• Secondary Identification
Data query requirement :
• Identity theft (email to user)
• One Time password (sms to users phone)
Integration with Active Directory
LDAP Traffic
(TCP 389)
Agent
HTTP Traffic
Agent
Windows Server
2003/2008
Domain Controller
SQL Traffic
Application Server
Web Console
Database Server
HTTP Traffic
Agent
ObserveIT Admin
ABOUT OBSERVEIT COMPONENTS
The ObserveIT Components
• ObserveIT Agent
– Windows Agent
– Unix / Linux Agent
• ObserveIT Server-side components
– Application Server
– Web Management Console
– Database
ABOUT EACH COMPONENT
OBSREVEIT AGENT
ObserveIT Agent
• The ObserveIT Agent is installed on all systems which require
monitoring.
• There are 2 versions of the Agent:
– Windows version – runs on all versions of Microsoft
Windows operating systems (32 and 64-bit)
– Unix/Linux version – runs on several versions of Unix/Linux
(32 and 64-bit)
The Windows Agent
• The ObserveIT Agent is a software component that is installed
on any Windows-based operating system (servers and desktop
versions) that you wish to record.
• The ObserveIT Agent is a user-mode executable that binds to
every Desktop User Session.
• It can be installed on any version of Windows, starting from NT
4.0 up to Windows 7 and Windows Server 2008 R2.
• Supports:
– 32-bit machine
– 64-bit machine
The Windows Agent – Minimum System Requirements
The Windows Agent – Capturing Data
• As soon as a user creates a session on a monitored server, the
Agent is started and begins recording – based upon a predetermined recording policy.
• The ObserveIT Agent is triggered by user activities such as
keyboard and mouse events.
• Idle time – when a user is reading, or inactive – is not recorded.
• When triggered, the Agent performs a screen capture.
• At the same moment it captures textual metadata of what is
seen on the screen (window title, executable name, date, time,
user name, etc.).
The Agent – Offline Mode (Windows+Unix)
• The ObserveIT Agent can be configured to allow offline caching
of recorded data.
• This is useful in the event of network malfunctions or
disconnection, and for NLB scenarios.
• When network connectivity is reestablished, the Agent
transmits the locally cached data back to the Application
Server.
• In order not to fill the local disk,
by default, the local cache holds
1000 screenshots. This number
is configurable.
The Windows Agent – keyboard strokes
• For keyboard strokes, capture frequency is configurable:
– Low (default) – every 1 second
– Medium – every 0.5 second
– High – every key stroke = image
The Windows Agent – API
• ObserveIT Agents have an API built into them.
• You may use various programming and scripting languages or
custom DLLs incorporated into your software to connect to this
API and control the Agents’ status.
• For example, it is possible to start, stop, pause, resume and end
recorded sessions. It is possible to start recording based on
process IDs, on process names and on web URLs.
• Recording additional processes can be done into the existing
session, or into a new session, thus creating a separate session
for each recorded process.
The Windows Agent – Security
• The ObserveIT Agent is protected by a watchdog mechanism
that restarts the Agent in case the process is ended.
• If a user stops the watchdog process, it is re-started by the
ObserveIT Agent.
• If a malicious user manages to stop both processes at the same
time, the ObserveIT health check system will alert the
administrator that an Agent is no longer recording, which gives
clear indication that someone has deliberately stopped the
agent.
The Windows Agent – Network Security
• Communication can secured by enabling SSL.
• If needed, an IPsec tunnel can also be used to protect the Agent
to Server traffic.
HTTPS Traffic
or IPSec Tunnel
Agent
OASIS standards for WS-Secure
conversation, including Token Exchange,
Digital Signature and Transaction TimeTo-Live limit
Application Server
Web Console
The Windows Agent – Resource Usage
• The ObserveIT Agent is a user-mode process, which only runs
when a user session is active.
• The ObserveIT Agent only consumes resources when a user is
logged on to the monitored server(s).
• average of 10MB of RAM/Session
• average of 1%-2% CPU utilization/Session (only at the moment
of capturing data).
• When multiple concurrent sessions are active (i.e. on a
Citrix/Terminal Server), this resource usage must be added to
the memory calculation for the server sizing plan.
The Windows Agent – Resource Usage
The Windows Agent – Network Connections
• During installation, the ObserveIT setup creates an additional
website in IIS that listens on TCP port 4884.
• The ObserveIT Agent transmits the captured screenshots
and textual metadata to the ObserveIT Application Server via
HTTP via this port.
• This port can be changed (for example - TCP port 80).
HTTP Traffic
(by default -TCP 4884)
Agent
Application Server
Web Console
The Windows Agent – Network Usage
• Each screenshot is between 5-50 KB (depending on screen
resolution and changes on screen)
• Agent only captures user actions and trims idle time, so
bandwidth usage is relatively small.
• ObserveIT Agents are configured to record in grayscale, but
color recording can also be enabled.
• When the following conditions are met, only grayscale
recording will be used:
– A high screen resolution is detected –
bigger than 1680 x 1050
– Multiple monitors are used
The Windows Agent – Installation
• Installation is performed over a standard Windows installer
package (.MSI) that is well supported by software distribution
applications and Group Policy (GPO).
• Agents can be easily configured to automatically install itself by
using a simple batch file.
• Agents can be auto-configured by
using DNS.
• A password can be used to prevent
rouge Agent installations.
• No reboot is required!
The Windows Agent – Automated Installation
• A sample batch file called ObserveIT.ClientInstall.cmd is included in
the ObserveITAgent setup directory.
• Installation parameters:
– SERVERURL (mandatory) - Directs it to communicate with the specified
Application Server. You can also specify the port number.
•
SERVERURL=”http://servername:4884/ObserveITApplicationServer”
– SRVPOLTMPL (optional) - Server Policies Template to inherit policy-based
configuration from upon installation.
•
SRVPOLTMPL="00000000-0000-0000-0000-000000000000"
– PWD (optional) - The password that is defined on the ObserveIT Application
Server
•
PWD=""
– PROVIDER (optional) - Configures which computer name will control the Agent's
API (for stopping and/or starting the Agent's recording). By default, and unless
specified, the computer that will be able to control the Agent's API is the localhost
(meaning, the computer on which the Agent is installed). You must specify a
computer name. IP addresses cannot be used.
•
PROVIDER=“oitsrv"
The Windows Agent – ActiveX Installation
• ObserveIT Windows-based Agents can be installed on
monitored machines by means of an Active-X installation,
which would most likely be embedded into the company’s
intranet portals or on other mission-critical web-based
applications.
• Once integrated with the website, whenever a user opens the
web browser and connects to the relevant website, they will be
prompted to download and install the Active-X installation of
the Agent.
• Once installed and based on the configured settings, all the user
actions that are performed inside that specific website or
application will be recorded, while other applications or site will
be excluded.
• Once the user closes the website, the Agent will cease to
function.
The Windows Agent – Integration with DNS
 When the Agent software is deployed to the target
machines, it can use DNS to query and locate the machine
providing the ObserveIT Application Server services.
 It does so by searching for an SRV Record called
"_oit._tcp.domain-name.suffix".
 The information from DNS is inserted into the Agent
configuration, and if properly configured, it allows the
Agent to communicate with the correct server by using
the correct TCP port.
The Windows Agent – Integration with DNS
DNS Records:
oitsrv A 192.168.100.10
DNS Traffic
(UDP 53)
DNS Server
_oit._tcp.oit-demo.local
priority = 0
weight = 0
port = 4884
svr hostname =
oitsrv.oit-demo.local
Agent
HTTP Traffic
Agent
SQL Traffic
Application Server
Web Console
Database Server
HTTP Traffic
Agent
ObserveIT Admin
The Windows Agent –
Hidden Installation from “Add/Remove Program list”
• After the ObserveIT Agent is installed, the software will appear
in the Add/Remove Programs applet in Control Panel. In
addition, when running, a tray icon will appear in the tray
notification area. In some cases, administrators might want the
Agent to run in a hidden manner.
• A sample batch file called ObserveIT.ClientInstall.zARPSC.cmd
is included in the ObserveITAgent setup directory.
The Windows Agent – Hide the Agent's icon
In order to hide the Agent's icon from the tray notification area you
will need to create a new Server Policy, or modify an existing one.
The Unix / Linux Agent
• The ObserveIT Agent is a user mode executable that binds to
every user’s terminal interactive connection.
• It can be installed on Solaris x86/x86_64 / SPARC architectures
and Linux RedHat/Centos 5.x releases, Ubuntu and AIX
• It can be installed on 32-bit and 64-bit flavors of the supported
operating systems.
The Unix Agent – System Requirements
The Linux Agent – System Requirements
The Unix / Linux Agent – Capturing Data
• When a user creates a session on a server, the Agent is started
and begins recording, based upon a pre-determined recording
policy, which is being downloaded from the Application Server.
• The ObserveIT Unix/Linux Agent is triggered by Command Line
Interface (CLI) events. When a user is inactive, the Agent is not
recording.
• The Agent is active only when CLI activity is detected. Even if
the Agent is active.
• When triggered, the Agent captures commands and their
output. It also captures selected system calls metadata (Like
OPEN/CHOWN/UNLINK and other file operations system calls).
The Unix / Linux Agent – Capturing Data
• The ObserveIT Unix/Linux Agent captures all the internal
actions and the names of files/resources affected by command
line operations.
– Command line: Each user command line entry is captured.
– Visual Screen Activity: Everything on the screen is visually recorded,
including user input and screen output.
– System Calls: ObserveIT also captures system calls triggered by each
user command. Every file create/delete/open/permission change,
process creation and link creation is fully exposed. (ex: If the user runs
an alias script named innocentScript that includes system calls to
delete files and change user permissions, this info will also be
captured.)
– Resources affected: In addition, captures each file or resource
affected by the user command. (ex: If the user types rm *.txt,
ObserveIT will show the exact name of each file that was deleted)
The Unix / Linux Agent – Architecture
• The Unix/Linux Agent uses technique known as
"library/function interposition" in order to hook/inject itself into
processes.
• It remains inactive until the moment it detects creation of the
interactive session (by the virtue of the creating new pseudo tty
device).
• When activated, it spawns an auxiliary process (logger) that
receives metadata ("interesting" system calls and library
functions) reports sent by the agent hooked into the child
processes.
• The logger process also collects all the interactive (keyboard
input/output) data passing through the original pseudo tty
device.
• When interactive session terminates, the logger also exits after
making sure all the data has been sent to the server.
The Unix / Linux Agent – Resource Usage
• The ObserveIT Agent uses an average of 5-20 MB of RAM, about
0.1% CPU utilization when idle and 0.7% CPU utilization in
average when recording.
• The ObserveIT Agent only consumes resources when a user is
logged on to the monitored server(s).
The Unix / Linux Agent – Security
• When triggered, the Agent performs capture of CLI activity. At
the same moment it captures system calls metadata that are
operated by the commands.
• The ObserveIT Agent auxiliary process (logger) sits between the
pseudo tty and the interactive shell (man-in-the-middle).
• If this process is terminated it will cause the interactive session
(shell) to be terminated as well.
The Unix / Linux Agent – Security
Login
(sshd/telnetd)
ObserveIT Logger
(Auditing process)
Terminal
Shell
(bash/ksh/sh)
HTTP/SOAP
ObserveIT
App Server
The Solaris Unix Agent – Installation
• Agent installation is simple, and can be a one-step or a two-step
process:
Installation + Agent registration:
./observeit-agent-solaris10-i386-release-5.5.xx.run -- -I –s
<ServerIP>:<Port>
• No reboot is required!
• Agent health check:
/usr/lib/obit/oitcheck
The Linux Agent – Installation
• Here too, Agent installation can be a one-step or a two-step process:
Installation + Agent registration:
./observeit-agent-linux-5.5.xx.run -- -I -s <ServerIP>:<Port>
• No reboot is required!
• Agent health check:
/usr/sbin/oitcheck
ABOUT EACH COMPONENT
OBSERVEIT APPLICATION SERVER
The ObserveIT Application Server
• After being captured by the Agent, both the textual
metadata and graphic image are bundled into a packet,
and sent to the ObserveIT Application Server.
• The ObserveIT Application Server is a stateless ASP.NET
application that runs in the context of Microsoft Internet
Information Server (IIS).
• The ObserveIT Application Server receives the data from
the Agent, validates it, and then stores it into the ObserveIT
Database.
• In addition, the Application Server periodically provides
configuration information to the Agents.
The ObserveIT Application Server – System Requirements
The ObserveIT Application Server – Installation
• The "One Click" installation method is the easiest way to deploy
ObserveIT and can be used to install all ObserveIT Server
components on a single server.
• Installation requires a connection to a SQL Server, and the right
credentials.
• Installation takes less than 5 minutes for a new deployment.
• Custom installations can also be performed.
• No reboot is required!
The ObserveIT Application Server – Installation
ABOUT EACH COMPONENT
OBSREVEIT DATABASE
There are 2 types of data storage option:
SQL Server
File System
For Small and Medium size deployments – preferred option is SQL Server Database
For Large Deployment it is advised to use the file system for sorting the Screenshots
and the database for storing the textual information such as ObserveIT Events,
Metadata and Configuration.
The ObserveIT Database
• All the data captured by ObserveIT is stored in a Microsoft SQL
Server database, on the Database Server.
• This information is stored along with the metadata
describing what is seen on the screen.
• This provides the ability for very powerful searches across
the entire enterprise.
The ObserveIT Database – Using a Local File System Store
• Screenshots can be stored in a centralized filesystyem location
(NAS/SAN).
• ObserveIT still requires SQL Server to store all the recorded
metadata, image pointers and configuration settings to the
Microsoft SQL Server.
The ObserveIT Database Server – System Requirements
The ObserveIT Database – Database Size
• The amount of data recorded by the ObserveIT Agents is not a
constant number, but based upon the profile of a typical
recorded user session.
• You need to determine the amount of user actions per typical
session, and the amount of such sessions per day/week/month.
• The overall size of the database can be predicted based on
typical session sizes that were captured during the POC phase.
The ObserveIT Database – Database Size
• Each screenshot size is affected by a number of Client screen
resolution
– Client using multiple monitors
– Filtering applications
• Typical average user action screenshot ~5 – 50 KB in size.
The ObserveIT Database – Database Size
• An existing ObserveIT client with around 1000 servers averages
500GB per year with a moderate level of activity.
• Servers with multiple concurrent user sessions such as Terminal
or Citrix servers require more space, depending on the amount
of user activity.
• This modest requirement is because
– No Idle time is recorded
– Using gray scale
– Data compression
• Filter the applications that are recorded (i.e. only record
management tools, LOB applications, or all except specific
applications).
The ObserveIT Database – Database Size
• Data is never deleted from the ObserveIT database.
• To help reduce database sizes:
– Archive old data that may be needed in the future
and store it in an offline database.
– Filter the applications that are recorded (i.e. only
record management tools, LOB applications, or all
except specific applications).
The ObserveIT Database – Database Security
• When enabling DB Security, the data is digitally signed and
encrypted when it is stored in the database.
• A water mark is displayed on
each slide.
• Access to the data is limited
by permissions defined
within the Web Management
Console.
Data Security (in DB and File System)
• Screen captures are stored in an SQL database or on a file
system.
• encrypted by Rijndael 256-bit key.
• In order to protect this key, it is encrypted by 1024-bit X509
certificate (with an RSA encryption key).
Archiving and Deleting Information
• Archive data from main ObserveIT database to secondary.
• Improve performance
• Archive job can be schedule
Backing-Up the Database
• ObserveIT stores all data inside SQL databases. By utilizing
your existing backup solutions you can easily backup your SQL
server, and thus protect your ObserveIT data and configuration.
ABOUT EACH COMPONENT
OBSREVEIT WEB CONSOLE
The ObserveIT Web Console
• Portal main tasks:
– replay sessions
– Search's and reports
– Configuration
• ASP.NET application that runs in the context of a
Microsoft Internet Information Server (IIS).
• Granular permissions can be granted for specific
ObserveIT Administrators (called Console Users) to
only view data recorded on specific servers or specific
users.
• Access to the Web Management Console is audited.
The ObserveIT Web Console – System Requirements
The ObserveIT Web Console – UI
CUSTOM INSTALLATION
Custom Installation
• Each of the ObserveIT components can be installed separately
as part of a custom installation.
• These standalone installers allow you to distribute the
components as needed and to use advanced configuration
options.
• Installation order:
–
–
–
–
Install and configure IIS manually
Install the ObserveIT Database
Install the ObserveIT Web console
Install the ObserveIT Application Server
Installation Prerequisites
• Ensure your servers meet all system requirements for the
components you are installing.
• Login credentials with administrative privileges on the
computer that you intend to install ObserveIT server-side
components, and the Agents.
• The IP address and host name of the computer that hosts the
ObserveIT Application Server.
• Obtain a valid license file containing your purchased ObserveIT
license.
Domain Membership (Active Directory)
• Domain membership is not mandatory, but ideally, all
components should be placed on domain members.
• Domain membership benefits:
–
–
–
–
Enables usage of AD groups in Console Users
Enables filtering of AD groups on Secondary Identification
DNS integration for Agent auto-configuration
GPO-based installation
Firewall Settings
• You must allow traffic for the TCP ports that the ObserveIT
Agents communicate with the ObserveIT Application Server
through (default – TCP 4884)
• You must allow traffic for the TCP ports that the ObserveIT
Application Server communicates with the SQL server (default TCP 1433)
HTTP Traffic
(by default -TCP 4884)
Agent
SQL Traffic
(by default - TCP 1433)
Application Server
Web Console
Database Server
Firewall Settings
Configuring IIS 6.0
• On Windows Server 2003/R2, use Add/Remove
Windows Components tool.
• Select both "Internet Information Services (IIS)",
and "ASP .NET".
Configuring IIS 7.x
• You can install IIS 7.x in several ways:
– By using Server Manager.
– By using the Command Prompt (recommended)
– By using PowerShell (In Windows Server 2008 R2 only
- recommended)
Configuring IIS 7.x
• Manually add “ASP .NET”
• Verify that “.NET Extensibility”, “ISAPI Extensions” and
“ISAPI Filters” are selected.
• Manually add “IIS 6.0 Management Compatibility” with all
subcomponents.
Preparing IIS
• First – install IIS (either 6.0 or 7.x, depending on host OS)
• Don’t forget to manually add the required components…
 Manually create a new application pool.
• If IIS 7.x, set the "Managed pipeline mode" to "Classic“.
• Create a new website using port 4884 and link it to the new
application pool.
• Use this folder path (creating the directories if necessary)
– C:\Program Files\ObserveIT\Web
Or, for 64-bit machines:
– C:\Program Files (x86)\ObserveIT\Web
Installing the Database
• To run the ObserveIT Database installer, run the
SQLPackage.exe file located in the DB folder.
• You need to have SA permissions or equivalent (however, there
is a solution to install without having these permissions).
• Result:
– The ObserveIT Database installer will create and
use 2 databases on the SQL Server:
– The ObserveIT database stores all configuration
data and all of the Metadata captured by
ObserveIT Agents.
– The ObserveIT_Data database stores all
screenshots captured by ObserveIT Agents.
Installing the Web Management Console
• To run the ObserveIT Web Console installer, run the
ObserveIT.WebConsoleSetup.msi file found in the WEB
folder.
• Enter the name of the SQL Server with the ObserveIT
databases.
• Specify the name of the Web Management Console virtual
directory and port. The defaults are ObserveIT and port
4884.
• Result:
– The ObserveIT Web Console installer
will create a virtual directory called
ObserveIT in IIS under the ObserveIT
web site.
Installing the Web Management Console
• To run the ObserveIT Web Console installer, run the
ObserveIT.ServerSetup.msi file found in the WEB folder.
• Enter the name of the SQL Server with the ObserveIT
databases.
• Specify the name of the Web Management Console virtual
directory and port. The defaults are ObserveIT and port
4884.
• Result:
– The ObserveIT Web Console installer
will create a virtual directory called
ObserveIT in IIS under the ObserveIT
web site.
Installing the Application Server
• To run the ObserveIT Application Server installer, run the
ObserveIT.AppServerSetup.msi file found in the WEB folder.
• Enter the name of the SQL Server with the ObserveIT
databases.
• Specify the name of the Application Server virtual directory and
port. The defaults are ObserveITApplicationServer
and port 4884.
• Result:
– The ObserveIT Application Server
installer will create a virtual directory
called ObserveITApplicationServer in
IIS under the ObserveIT web site.
Upgrading ObserveIT
• Upgrading ObserveIT can be easily done by using the "One
Click" installation.
Removing ObserveIT Server
•
•
•
•
•
Use Control Panel > Add/Remove Programs applet.
Delete IIS ObserveIT Web
Delete IIS ObserveIT application pool
Open SQL Management Studio – delete ObserveIT databases
Finally, delete the program folder.
Removing ObserveIT Windows Agents
Uninstall methods:
– Control Panel > Add/Remove Programs.
– ObserveIT.ClientUninstall.cmd which is included in the
ObserveITAgent setup directory.
Removing ObserveIT Solaris Unix Agents
• pkgrm OBSVobit
Uninstall ObserveIT from CentOS server
• For 32-bit type:
rpm -e oit
• For 64-bit type:
rpm -e oit.x86_64 oit.i386
Cleanup:
rm -rf /var/run/observeit/
rm -rf /etc/observeit/
Uninstall ObserveIT from Ubuntu server
• sudo apt-get remove oit
• sudo rm -rf /var/run/observeit
• sudo rm -rf /etc/observeit/
Hands on
HANDS ON:
Chapter 5: ObserveIT custom
installation
Length: 60 minutes
USING OBSERVEIT
Using ObserveIT
• After successfully installing ObserveIT you can begin using it to
record and replay user sessions on the monitored servers.
• Typical usage scenarios include:
–
–
–
–
Using the Server and User diaries
Free text searches
Generating reports
Exporting sessions
Working with the Server Diary
• “Server Diary “ is the default view
• Primary use case: answer “who did what”
• The Server Diary will automatically display:
– The last server accessed
– Listing all user sessions (time descending )
• Filters:
– Servers (browse, auto-complete)
– Period of time or the date range for the recorded sessions
– Login/User names
Working with the Server Diary
Working with the Server Diary – Expand Session Details
• View User Activity
• Login Messages (and Live Messages) are also displayed
• Administrator can add “Comments”
Working with the Server Diary - Applications
• Applications view shows all the applications that were used on
that particular monitored computer.
Working with the Server Diary – Inventory
• Will show the server characteristics
Working with the Server Diary - Search
• Searching is done only for sessions on the selected server
• Searches for terms that appear in the session metadata
Working with the Server Diary - Messages
• Messages to Login Users can be seen, along with the user
feedback, if one was provided.
Working with the User Diary – Activity page
•
•
•
•
Purpose : inspect “what did the user do”
See user activity
Latest sessions will be displayed at the top
Filter by Date
Working with the User Diary - Activities
User Diary – Applications
• Review user activity by applications
Using Free Text Search
• Performs full text search across ALL servers and users.
• Several filters are available – Period/Date range, Login/User,
Server.
Report Generator
• Reports are custom queries that show you the information you
need for common auditing requirements.
• You can use the sample pre-built reports.
• You can copy, edit, save and delete reports.
• You can preview reports while you create them, to make sure
you get the right results.
• You can schedule reports to be sent to multiple e-mail
destinations (requires adding e-mail addresses to Console Users
and configuring the SMTP settings).
Report Generator
Report Generator
•
•
•
•
Run the report to display the results
Video Replay is available for each entry
Report textual results can be exported to Excel
When sent by e-mail, links are active
Exporting Sessions
• Once you find an important session you can export it to an
external file:
– An HTML file with all the relevant screenshots lined in
chronological order
– A ZIP file that can be viewed by anyone.
• You may select to export the entire session, or just specific
information (single images or a range of images)
• Information is not removed from the database.
• If SMTP configuration is correct, a notice will be sent once the
export process is finished.
Exporting Sessions
Exporting Sessions
Alerts/Events: Alerts
Alerts/Events: Events
Alerts/Events: Alerts Settings
Agents monitoring events
– 1201 - Name: Agent Service Started, Description: ““The ObserveIT Agent
Windows Service has reported that the Agent service was started.” severity: 3
– 1202 - Name: Agent Service Stopped, Description: “The ObserveIT Agent
Windows Service has reported that the Agent service was stopped.” severity:
5
– 1203 - Name: Agent Service Abnormally Terminated, Description: “The
ObserveIT Agent Notification Service has reported that the Agent service was
abnormally terminated.” severity: 5
– 1204 - Name: Agent Process was not initiated within a session, Description:
“The ObserveIT Agent Windows Service has reported that the Agent process
did not start within a user session.”, severity: 5
– 1205 - Name: Agent file is missing, Description: “The ObserveIT Agent’s
installation or configuration file is missing”, severity: 5
– 1206 - Name: Agent file was changed, Description: “The ObserveIT Agent
Windows Service has reported that an installation or configuration file was
tampered with” severity: 5
– 1207 - Name: Agent Registry Key was changed, Description: “The ObserveIT
Agent Windows Service has reported that an ObserveIT registry key was
changed”, severity: 5
ObserveIT’s Identity Theft Detection
The Idea:
End users help detect identity theft.
Bob
UID:Bob from BobsPC
is OK!
Hey Bob,
Bob’s Was
PC this really you?
Bob’s Credentials
Don’t fly solo: Bring end
users into the
identity theft detection loop.
How it works: Yes
No
Notify user each time someone logs in using his
credentials
from somewhere other than his PC.
Bob’s Home PC
(Similar to method used by Facebook, Gmail, Salesforce, etc.)
Bob’s Credentials
Some Server
Check the whitelist:
UID Client
Bob BobsPC
Bob BobsHomePC
UID:Bob from BobsHomePC
from NotBobsPC
is NOTUID:Bob
OK!
is NOT OK!
After all, they know best if it was really them!
Not Bob
Not Bob’s PC
Bob’s Credentials Hey Sam,
Can weHey
add Sam,
UID:Bob from BobsHomePC
You need to investigate!
to the whitelist?
Yes
No
Sam the
Secuirty Manager
Identity Theft Detection/ Settings
Identity Theft Detection/Pairing Request
Identity Theft - Events
1000
User login from paired client
1001
User login from paired client - secondary authentication
1002
User login without paired client
1003
User login without paired client - secondary authentication
1004
User login from unpaired client
1005
User login from unpaired client - secondary authentication
1006
User reported about suspect login
1007
User reported about suspect login - secondary authentication
HANDS ON – Chapter 6
• HANDS ON – Chapter 6 : Additional Use Cases
– Server Diary
– User Diary
– Search
– Reports
– Live Monitoring / Events / Alerts
– Identity Theft
– Export Session
– Testing the Agent Watchdogs
Length: 60 minutes
TROUBLESHOOTING
Working with Trace Files
• Agent trace folder:
C:\Program Files\ObserveIT\ObserveITAgent\Trace
• Application Server Trace:
C:\Program Files
(x86)\ObserveIT\Web\ObserveITApplicationServer
**** files DO NOT contain sensitive information !
Working with Trace Files
• Each component of ObserveIT has a different configuration file,
and a different trace folder.
– C:\Program Files\ObserveIT\Web\ObserveITApplicationServer\Web.Config
– C:\Program Files\ObserveIT\Web\ObserveIT\Web.Config
– C:\Program
Files\ObserveIT\NotificationService\ObserveIT.WinService.exe.config
– C:\Program Files\ObserveIT\ObserveITAgent\bin\rcdcl.exe.config
• In the relevant files, locate this string:
<system.diagnostics>
<switches>
<add name="General" value="1" />
• Change value="1“ to value="3“ and save the file.
• Next, go to the corresponding Trace folders and inspect the
resulting files.
Installation Issues
• ObserveIT installation program will generate a detailed textual
transcript of all the installed components.
• In addition, each of the setup programs will generate log files
with detailed information about the progress and results of
each installation process.
• If you are experiencing a problem installing the product,
Support may ask you to send the contents of these files to assist
in troubleshooting.
Log/Trace Files:
C:\Program Files\ObserveIT\ObserveITAgent\Trace\*
C:\Program Files (x86)\ObserveIT\NotificationService\ObserveIT_Trace.txt
C:\Program Files (x86)\ObserveIT\Web\ObserveIT\Trace\ObserveIT_Trace.txt
C:\Program Files (x86)\ObserveIT\Web\ObserveITApplicationServer\Trace\ObserveIT_Trace.txt
16
5
Contacting Support
• Buying the ObserveIT software allows you to receive support
from the ObserveIT support team.
• Contact ObserveIT support at
support@observeit-sys.com
• When contacting support, please copy the textual log files and
provide as much information about your system as possible.
ObserveIT Centralized
16
7
Video Replay API Architecture:
With federated databases
OIT Centralized
Web Console
Your
Custom App
HTTP Port 4884
Single URL for on-the-fly
video replay
Config data for
centralized
console
Video
Player
HTML
Wrapper
Config data for
each local OIT
deployment
• Single sign-on: Custom app uses
uid/pwd of centralized OIT console
• Passwords are not transferred:
Token-based authentication with
TTL limits
• Same SSO / pwd / token / TTL
process for communication
with each local install
OIT Local Install 1
OIT Local Install 2
OIT Local Install 3
Video
Database
Video
Database
Video
Database