Observeit User Guide v5.7

ObserveIT User Guide
Version 5.7
Copyright (c) 2014 ObserveIT Ltd.
Contents
About This Document ..................................................................................................................................... 3
Web Management Console ............................................................................................................................ 4
Recording User Sessions ................................................................................................................................. 8
Server Diary.................................................................................................................................................... 11
User Diary....................................................................................................................................................... 20
Free Text Search ............................................................................................................................................. 25
DBA Activity .................................................................................................................................................. 27
Replaying User Sessions ............................................................................................................................... 31
Windows Session Player ......................................................................................................................... 32
Unix Session Player ................................................................................................................................. 40
ObserveIT Key Logging ................................................................................................................................ 42
Windows Key Logger .............................................................................................................................. 42
Unix Key Logger ...................................................................................................................................... 45
Threat Detection Console ............................................................................................................................. 46
Viewing Threat Detection Information ................................................................................................. 47
Configuring Threat Detection Chart Settings ...................................................................................... 51
Reports ............................................................................................................................................................ 52
About the Current ObserveIT Installation ................................................................................................. 54
About This Document
About This Document

After successfully installing ObserveIT, you can begin using it to record and replay user sessions on
the monitored servers.
This guide covers the basic usage guidelines and is intended for ObserveIT Administrators and
Security Auditors.
For information about installing ObserveIT, please refer to the ObserveIT Installation Guide.
For detailed configuration steps, please refer to the ObserveIT Configuration Guide.
Web Management Console

The ObserveIT Web Management console is the tool you use to replay sessions, perform searches
inside the database, and make configuration changes.
Using the Web Management Console is simple and intuitive. Across the top of the interface are tabs to
select a functional view. Each view has a vertical option menu on the left side of the screen. Below the
option menu for all views are quick links to the most recent activity.
By default, ObserveIT's server installation will offer to create an additional web site that will be
configured to listen to TCP port 4884.
When using the default TCP port 4884, use this URL to connect to the ObserveIT Web Management
Console: http://servername:4884/ObserveIT where servername is the name or IP of the server where the
ObserveIT Web Management Console is installed.
When logging on to the Web Console, ObserveIT Console Users enter their credentials in the form of a
user name and password. Because this information is transferred through the network in clear text,
securing the ObserveIT Web Console access is of high priority. Unless properly secured, this data can
be picked up by regular network sniffers. The first and most important step should be to enable SSL
on the ObserveIT web site, and to require SSL on the ObserveIT virtual directory, the one used by the
ObserveIT Web Management Console.
To log in to the Web Management Console

1) If you are logged in at the console of the server on which the Web Management Console is
installed, access it from the "Start" menu under "Programs" > "ObserveIT".
An Internet Explorer window will open, prompting you to log in to the Web Management console.
Internet Explorer 7 users might get a message asking about whether they want to turn the
automatic Phishing Filter on or off.
2) Select the setting you want to keep, and click "OK".
3) If this is your first time using the ObserveIT Web Management Console, you will be prompted to
change the default "Admin" password.
Important: Passwords are CASE sensitive. Select a password that is strong enough to prevent
casual guessing or other brute force attacking, making it at least 6 characters long, and with a
combination of lower case, upper case, numbers and other characters. Make sure you remember
this password or write it down in a safe place, as without it you will not be able to log on to the
ObserveIT Web Management Console. This password CANNOT be recovered in any way.
4) Enter your password and confirm it, then click "Enter". Your new password will be set. Use this
user name and password to gain access to the ObserveIT Web Management Console from any
computer.
If this is not the first time you are using the ObserveIT Web Management Console, the login screen
will appear.
5) Make sure that you enter the correct credentials.

Note: If you do not enter the correct username and/or password, you will not be able to login and
the following error will be displayed: Invalid credentials. Please try again.
Changing the Default Admin Password

To change the default admin password
1) After logging on to the Web Console, open the "Configuration" tab, select the "Console Users"
menu option on the left side menu.
2) Click the default "Admin" Console User in the Console Users list to display the User Details page.
3) Enter the new password, confirm it, and click Update.

4) Click Close to exit the User Details page.
A message will be displayed informing you that the update was successful.
Recording User Sessions

After you have successfully installed the server-side components of ObserveIT, and at least one
ObserveIT Agent, you can start recording user sessions and replaying them. For each additional
machine that needs to be recorded, an ObserveIT Agent must be installed, and proper licenses must be
obtained.
When running, the ObserveIT Agent tray icon will appear in the tray notification area of the
monitored computer(s). This icon can be hidden.
As soon as a user logs on to one of the monitored computer(s), all their actions will be recorded. You
can customize the way these actions are recorded.
After sessions are recorded, you can review the recorded data, replay sessions, generate reports, and
more. You can find these recorded sessions by using either the Server or User diaries, the Search
option, or by running Reports. More information about how to use these features is described in this
user guide.
Recording User Sessions
After you find the session you are interested in, you can click the
icon next to the user session to
launch the ObserveIT Session Player, from which you can replay the entire recorded session. The
VCR-like buttons in the Session Player enable you to pause, resume, rewind, or fast forward, the
playing of the slides. From the Windows Session Player, you can also save sessions for offline viewing.
For more information, see Replaying User Sessions.
10
Server Diary
Server Diary
The Server Diary opens by default when you log on to the Web Management Console. The Server
Diary provides information about all activities that occurred on every monitored server and
computer.
The Server Diary provides the following views:
Activities
Applications
Inventory
Software
Search
Messages
11
Activities View
The default Server Diary view is the Activities View which shows who did what on the selected
server up to the specified date and time. The Activity View automatically displays the last server
accessed with the default date filter, enabling you to see who last accessed a specific server and view
their actions. The Activities View also lists all user sessions in reverse chronological order, so that new
sessions appear at the top of the session lists, making them easy to identify.
To view user sessions that were recorded on a server

1) Enter the required server name in the "Server" text prompt (auto-complete provides a list of
matching server names).
You can click the
button and select the server name from the Server List pop-up window,
which displays a list of available servers, including their version information, number of recorded
sessions, and the date and time of the last user activity on the server.
-OrYou can select the required server from the "Latest Sessions" list on the left of the console, which
includes the most recently active sessions.
2) Specify the required time period (Days, Weeks, Months, Years) or specify a date range for your
sessions search, and then click the "Go" button. You can also filter the session list to display
sessions for "All" logins, "User" logins, or "Administrator" logins.
The page refreshes to display a list of login sessions for the selected server.
12
Server Diary
Note: If any SQL Server queries were performed on a session, they will be displayed at the end of the
session. For more information, see DBA Activity.
The Login Sessions list is displayed in reverse chronological order for the selected server. The and
icons allow you to easily determine if the server you are viewing runs a Windows-based or Unixbased operating system. Each entry represents a user session. A user session begins at the time the
user logs on, and ends when the user logs out or after a predefined period of inactivity (the default is
15 minutes, but you can change this in Configuration > Server Policies > Server Policy Template). The last
activity performed by the user in the session is reflected in the "Session Duration". Each session entry
provides the date, duration, the login name (which is the user account used in the Windows logon
process), the actual user name (provided by ObserveIT's Identification Services), the name of the
computer from which the connection was made, the number of slides in the session, and a "Video"
icon.
Clicking the
Video icon next to a user session launches the ObserveIT Session Player, which
replays the entire recorded session from beginning to end (for details, see Replaying User Sessions).
However, replaying entire sessions is a time consuming process and might prove to be irrelevant to
the problem youre trying to troubleshoot. To make this task easier, ObserveIT lets you expand
sessions by clicking on the [+] sign, and view a textual breakdown or transcript (similar to DVD
chapters) of all the applications, files, and window titles that the user accessed during the session. You
can replay a session from any point in time (or action) by clicking the Video
icon at the right of the
required expanded session item. Thus, within seconds, you can determine the applications that were
used, the actions that were performed by the user, and the relevance of the session to your
troubleshooting process.
Notes
A
icon appearing in the sessions list indicates that a user session is still live, and that a user is
currently logged on to the server. Clicking this icon will launch the Session Player in real-time
replay mode.
The appearance of a
warning icon next to a "Slides" number indicates that the session was
tampered with, and could be corrupted. For example, this icon would appear if a screenshot was
deleted from a recorded session. Note that the warning icon will only be displayed if the "Enable
Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security"
page.
The appearance of an alert indication
next to a session shows that one or more activity alerts
were generated during the session. Clicking the alert indication opens a popup dialog showing
the alert(s). For example:
By clicking "View All", you can jump directly to the Activity Alerts page showing the list of
session alerts.
13

The number that appears to the right of a program or file name in the expanded textual transcript
is the number of instances in which the same program or file name appeared in that particular
session.
Data of all the sessions that are displayed on a particular Server Diary page, and for the detailed
textual transcript, can be exported to an external window for easier printing and for usage in
Microsoft Excel.
To view statistics about a server in the Server Diary

Click the "Server Statistics" link in the Activities View.
A window opens displaying statistics about the selected server during the specified time period.
The following information is provided:

Login IDs Used - A breakdown of the login IDs that were used to access the server during the
selected time period.

User Activity Recorded - The daily number of screen frames that were recorded by ObserveIT
during user sessions on the server.
14
Server Diary
Adding Comments to Sessions

In the Activities and Search Views of the Server Diary, you can add comments to specific sessions, if
required.
To add a comment to a session

1) In the Activity View list, click the [+] sign next to the session to which you want to add a comment.
2) Click the "Add Comment" link.
3) In the "Session Comment" dialog box that pops up, enter your comment, and then click "Save".
Your comment will appear in the session's expanded list of applications, files, and window titles.
Note: You can repeat this procedure for as many comments as you want to add. Each comment
will appear as a separate entry.
Applications View
The Applications View enables you to view a list of all the applications, resources, registry paths,
Internet Explorer URLs, and so on, that were accessed on the specified server. This view is useful if
you have many recorded sessions and you do not want to review each session, but prefer to see what
resources, such as applications, files and directories, that were accessed on the server. These resources
are displayed in reverse chronological order for the selected server, making the latest sessions easy to
identify.
To view the applications which were accessed on a server

1) Select "Applications" in the left menu of the Server Diary.
2) Specify the server you want to view in the "Server" field, and then click the "Go" button. You can
also click the
button and select the server name from the Server List pop-up window.
3) Select the date up to which you want to display the applications.

The page refreshes to display all the applications that were accessed on the specified server.
15
Note that you can click on the [+] sign next to an application for more details, and click the Video
icon to open the Session Player in order to replay the selected item.
Inventory View
The Inventory View displays a list of the resources (hardware and software) on the specific server.
This information is gathered from the server and displayed for your convenience. The information is
read-only and cannot be changed.
To display the resources on a server

1) Select "Inventory" in the left menu of the Server Diary.
2) Specify the server you want to view in the "Server" field and click the "Go" button. You can also
click the
16
Server Diary
Software View
The Software View displays a list of the software that is currently installed on the specific server. This
information is gathered from the server and displayed for your convenience. The information is readonly and cannot be changed.
To display the software installed on a server

1) Select "Software" in the left menu of the Server Diary.
2) Specify the server you want to view in the "Server" field and click the "Go" button. You can also
click the
If a software or program is installed on the server after the ObserveIT Agent was installed, a
icon
will appear next to the software name, allowing you to replay and view that software's installation
process. This link only appears for programs that were installed after the ObserveIT Agent was
installed. Clicking the "Search" link next to a program or software will open up a Google search page
with results related to that program or software.
Search View
The Search View is useful for performing search operations against a particular server name. You can
perform Google-like searches based upon words that are important, such as "registry", "notepad",
"delete", and so on. Results are displayed in such a way that lets you see the context of the action and
why they are returned as a result.
To run a search on a server

1) Select "Search" in the left menu of the Server Diary.
2) Specify the server you want to view.
3) Specify a time period for your search.
17
4) Enter the string you are looking for, and then click the "Search" button to run the search.
Notes
After running your search, you can also do the following:
Expand the results by clicking the [+] sign in order to view a textual breakdown of the search
results, clearly showing you the context in which the application or user action was performed.
Add comments to specific sessions in the search results, by clicking the [+] sign next to the
relevant session, and then clicking the "Add Comment" link (as described in "Adding Comments to
Sessions" above).
Click the Video
user action.
icon to open the Session Player in order to replay a selected application or
Messages View
ObserveIT enables you to create and configure messages that will be displayed when a user logs on to
one or more servers. These messages can include information for users, instructions, requests to
perform specific tasks, contact information in case of software or hardware issues, and more. You can
configure messages to be displayed on all servers, on specific servers, for all users logging on to these
servers, or just for some users. You can create and configure messages in the Configuration > Messages
page.
In the Messages View of the Server Diary, you can see all the messages that were displayed on a
server.
To view the messages on a server

1) Select "Messages" in the left menu of the Server Diary.
2) Specify the server whose messages you want to view.
3) Select the type of message you want to display from the "Message to Display" drop-down list.
Options include: "All Messages", "Live Messages", or "Lock Messages".
Note: The features "Live Messages" and "Lock Messages" are not supported on Unix or Linux
Agents. These features are also not supported on Agents that are running ObserveIT versions
prior to 5.6.0.
18
Server Diary
4) Click the "Go" button.

The Messages Diary refreshes to display the messages for the server and criteria you specified.
Exporting Metadata to Excel

You can export the data of all sessions that are displayed in a Server Diary Activities page, Search
page, and detailed textual transcript, to an external window for easier printing and for usage in
Microsoft Excel.
To export a user session's data

Click the "Print this information" link next to the user session.
To export the textual transcript on a specific user session

1) Expand the required session by clicking the [+] sign on the left.
2) To export the data, click the "Print this information" link next to the user session.
3) To export detailed data of the textual transcript of the selected user session, click the "Print
detailed information" link next to the user session.
Note: "Print this information" exports only what is visually shown in the textual transcript,
whereas "Print detailed information" includes all the user actions performed during the session.
In the "Report To Export" browser window, you can print the report as you would any browser
window, or click the "Excel" link to open the information as an Excel file.
19
User Diary
The User Diary is the second tab in the Web Management Console. The User Diary provides three
views:
Activities View
Applications View
Search View
Activities View
The default User Diary view is the Activities View which provides information about all user activities
on every monitored server and computer. Each time a user logs into a monitored server, all actions
performed by that user are captured as screenshots, and metadata is collected about the applications,
registry settings, and files that the user accessed. The User Diary is used to see all of this activity by a
particular user across all servers.
The User Diary automatically displays all the latest user sessions from all the monitored computers,
with the default date filter, listing all user sessions in reverse chronological order. This means that
new sessions appear at the top of the session lists, making them easy to identify.
20
User Diary
To view sessions which were recorded for a user

1) Enter the required user name in the "Login" text prompt (auto-complete provides a list of
matching user names).
You can also click the
icon and select the required user name from the Login List pop-up
window. The list of available users is displayed along with the number of recorded sessions, and
the date and time of their last activity.
2) Specify the required activity time period (Days, Weeks, Months, Years) or specify a date range for
your user sessions search. By default, the date filter includes the current month and year as the
selection criteria.
3) If required, you can filter the display of user sessions by server ("All" or a single server).
4) When you have finished specifying the search criteria, click the "Go" button.
The page refreshes to display a list of sessions in reverse chronological order for the selected user.
Note: If any SQL Server queries were performed on a session, they will be displayed at the end of the
Each entry represents a user session. A user session begins at the time the user logs on, and ends when
the user logs out or after a predefined period of inactivity (the default is 15 minutes, but you can
change this in Configuration > Server Policies > Server Policy Template). The last activity performed by the
user in that session is reflected in the "Session Duration". Each session entry provides the date,
duration, the login name (which is the user account used in the Windows logon process), the actual
user name (provided by ObserveIT's Identification Services), the name of the computer from which
the connection was made, the number of slides in the session, and a "Video" icon.
Clicking the
Video icon next to a user session launches the ObserveIT Session Player, which
replays the entire recorded session from beginning to end (for details, see Replaying User Sessions).
From the Session Player, you can also save sessions for offline viewing. You can expand sessions by
clicking on the [+] sign, and view a textual breakdown or transcript (similar to DVD chapters) of all
the applications, files, and window titles that the user accessed during the session. You can replay a
session from any point in time (or action) by clicking the Video
icon at the right of the required
expanded session item. Thus, within seconds, you can determine the applications that were used, the
actions that were performed by the user, and the relevance of the session to your troubleshooting
process.
Notes
The and icons allow you to easily determine if the server you are viewing runs a Windowsbased or Unix-based operating system.
A
icon appearing in the sessions list indicates that a user session is still live, and that a user is
currently logged on to the server. Clicking this icon will launch the Session Player in real-time
replay mode.
The appearance of an alert indication
next to a session shows that one or more activity alerts
were generated during the session. Clicking the alert indication opens a popup dialog showing
the alert(s). For example:
21
By clicking "View All", you can jump directly to the Activitity Alerts page showing the list of
session alerts.
The appearance of a
warning icon next to a "Slides" number indicates that the session was
tampered with, and could be corrupted. For example, this icon would appear if a screenshot was
deleted from a recorded session. Note that this warning icon will only be displayed if the "Enable
Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security"
page.
The number that appears to the right of a program or file name in the expanded textual transcript
is the number of instances in which the same program or file name appeared in that particular
session.
To view statistics about a user in the User Diary

Click the "User Statistics" link in the Activities View.
A window opens displaying statistics about the selected user during the specified time period.
The following information is provided:

Computers Accessed - A breakdown of the computers that were accessed by the user during
the selected period, by the number of recorded sessions.

Session Activity Recorded - The daily number of sessions that were recorded by ObserveIT for
the user.
22
User Diary
Adding Comments to User Sessions

In the Activities and Search Views of the User Diary, you can add comments to specific user sessions,
if required.
To add a comment to a user session

1) In the Activity View list, click the [+] sign next to the user session to which you want to add a
comment.
2) Click the "Add Comment" link.
3) In the "Session Comment" dialog box that pops up, enter your comment, and then click "Save".
Your comment will appear in the session's expanded list of applications, files, and window titles
that the user accessed during the session.
Note: You can repeat this procedure for as many comments as you want to add. Each comment
will appear as a separate entry.
23
Applications View
The Applications View enables you to view a list of all the applications, resources, registry paths,
Internet Explorer URLs, and so on, that were accessed by the specified user login. This view is useful if
you have many recorded sessions and you do not want to review each session, but prefer to see what
resources, such as applications, files and directories, that were accessed by the user. These resources
are displayed in reverse chronological order for the selected user, making the latest sessions easy to
identify.
Search View
The Search View is useful for performing search operations against a particular user login. You can
perform Google-like searches based upon words that are important, such as "registry", "notepad",
"delete", and so on. Results are displayed in such a way that lets you see the context of the action and
why they are returned as a result.
Note: You can also add comments to specific sessions in the search results, by clicking the [+] sign next
to the relevant session, and then clicking the "Add Comment" link (as described in "Adding Comments
to User Sessions" above).
Exporting Metadata to Excel

You can export data of all sessions that are displayed in a User Diary Activities page, Search page, and
detailed textual transcript, to an external window for easier printing and for usage in Microsoft Excel.
To export a user session's data

Click the "Print this information" link next to the user session.
To export the textual transcript on a specific user session

1) Expand the required session by clicking the [+] sign on the left.
2) To export the data, click the "Print this information" link next to the user session.
3) To export detailed data of the textual transcript of the selected user session, click the "Print
detailed information" link next to the user session.
"Print this information" exports only what is visually shown in the textual transcript, whereas
"Print detailed information" includes all user actions performed during the session.
In the "Report To Export" browser window, you can print the report as you would any browser
window, or click the "Excel" link to open the information as an Excel file.
24
Free Text Search
Free Text Search

The Free Text Search feature expands ObserveIT's searching capabilities by enabling you to perform
Google-like searches for sessions and user activities, based on key words, such as, "registry",
"notepad", "delete". When an IT ticketing system is integrated in the ObserveIT system, you can search
for all sessions that relate to a specific ticket. You can also filter the search criteria to search for key
words in all the applications that were used on any monitored computer. The displayed results
provide the context of the activity.
For example, you can specify the IP address of a server, and find all the instances in which a Remote
Desktop session is open to that server.
To run a free text search

1) Open the Search tab of the Web Management Console.
2) In the "Search for" field, select the type of data you are looking for. Options are:
"Metadata" - enables you to search for key words in the metadata information that is stored in
the ObserveIT database.

"Ticket number" - if an IT ticketing system is integrated in ObserveIT, you can specify the
ticket's unique reference number in order to quickly locate all sessions related to the ticket.
"Application" - enables you to search for keywords in all applications that were used.
"Alert ID" - enables you to search for sessions that have activity alerts according to their ID.
3) Enter the required string/key word/ticket number/alert ID.

4) If you are searching for "Metadata", select the type of sessions in which you are searching: "All",
"Windows", "Unix", or "Unix system calls".
Note: On Unix sessions, you can perform a metadata search on both user input and commands'
output.
5) Click the "Search" button.
The displayed results include information regarding the users login, the server, and the date.
25
Notes
You can expand the user session in which you are interested by clicking the
to the left of the
user session. You can read through the textual transcript and find the user action that is of
interest.
Sessions that contain an alert are displayed with an alert indication
session to see exactly which slide has the alert.
. You can expand the
If any SQL Server queries were performed on a session, they will be displayed at the end of the
You can add comments to specific sessions in the search results, by clicking the next to the
relevant session, and then clicking the "Add Comment" link. In the "Session Comment" dialog box
that pops up, enter your comment, and click "Save". Your comment will appear in the session's
expanded list of user actions. You can add as many comments as you want. Each comment will
appear as a separate entry.
Clicking the
icon next to the user session will launch the ObserveIT Session Player, and begin
replaying the entire recorded session from beginning to end. The replay can be paused, resumed,
fast forwarded or rewound, and zoomed in or out. From the Session Player, you can also save
sessions for offline viewing.
You can filter the results to display specific user sessions by selecting the user's name from the
Login/User" drop-down list. This list includes every user name (or login) that used the specific
application or resource.
You can also filter the view to display results for one specific server by selecting the server's name
from the Server drop-down list. This list includes every server name that was used for the
specific application or resource.
26
DBA Activity
DBA Activity
In the DBA Activity tab of the ObserveIT Web Management Console, you can monitor all SQL queries
that were executed by DBAs against production databases. This feature requires all DBAs that you
would like to record to connect through a Windows gateway, on which the ObserveIT Agent is
installed and a DB management tool application is being used.
ObserveIT supports the following database management tool applications:
Microsoft SQL Server Management Studio 2005, 2008
Note: All versions of Microsoft SQL Server Management Studio Express (SSMSE) are currently not
supported.
Toad for Oracle 11.6
SQL*Plus 11.2.0.1.0
The following example illustrates how SQL queries are captured by ObserveIT:
1) A user opens a remote RDP connection to the gateway in order to perform an SQL query.
2) The ObserveIT Agent captures the SQL query using the database management tool application on
the gateway.
27
Querying SQL Server Sessions

SQL queries are included in the session activity details displayed in the Server Diary and User Diary
pages. When using the Search page in Metadata mode, text matches within SQL queries will also
return the relevant sessions in the search results.
You can query the database for sessions according to any of the following criteria:
Database name
The server to which the user logged in
Database user
Login ID of the user
Free text: Specific information that you are looking for (e.g., specific user, alert, name of table, etc.)
Specific time period, or start and end dates.
To view and search for SQL Server sessions

1) Open the DBA Activity tab in the ObserveIT Web Management console.
The Activities View displays the results of SQL server queries on the currently selected default
ObserveIT database, in reverse chronological order, and according to the default date filter.
For each item in the table, the following information is displayed:

Time: The time that the SQL query occurred.
SQL Query: The content of the SQL query.
Database: The name and path of the ObserveIT database.
DB User: The name of the database user.
Details icon: Enables you to view details about the SQL query session.
Video icon: Enables you to replay a video of the SQL query session.
2) To change the criteria for the SQL queries display, click the [+] sign next to "Filters" to expand the
search fields.
28
DBA Activity
Specify the search criteria according to which you want to perform an SQL Server query, as
follows:
In the "Database" field, specify the required database (or click the
button to select it from
a list of databases).
In the "Server" field, specify the server to which the user is logged in (or click the
button
to select it from a list of servers).

In the "DB User" field, specify the name of the database user (or click the
button to select
it from a list of database users).

In the "Login" field, specify the login name of the user (or click the
button to select it
from a list of Login names).

In the "Query Text" field, you can enter any specific text for your search.
Under "Period" or "Start Date"/"End Date", you can filter your search criteria further by
specifying a time period, or start and end dates.

3) When you have finished defining the criteria for the SQL Server session queries, click the "Search"
button.
The page refreshes to display a list of sessions according to the specified criteria.
Note: SQL Server queries that were performed on a session, will also be displayed at the end of the
session in the Search tab, Server Diary, User Diary, or Archive Search.
To view details of an SQL query session

1) In the Activities table, click the
icon next to the SQL query whose details you want to view.
A window opens displaying the details of the selected SQL query.

Note: By using the Up/Down arrows, you can browse between all the SQL query activities in the
recorded session.
29
Note: From this window, you can also view a video of the selected SQL query session by clicking
the "Session video"
icon.
To view a video of an SQL Query session

In the Activities table, click the Video
icon to the right of the SQL query you are interested in.
The ObserveIT Session Player opens, enabling you to replay the entire recorded session. For more
information, see Replaying User Sessions.
30
Replaying User Sessions

ObserveIT allows you to replay recorded user sessions by using a VCR-like Session Player. ObserveIT
provides two versions; a Windows Session Player for replaying Windows recorded sessions, and a
Unix Session Player for replaying Unix recorded sessions. The Session Player opens in a separate
browser window.
Similar to a real-life VCR player, ObserveIT's Session Player can be used to play the recorded session
starting from the first slide, and throughout the entire recording until it reaches the last slide. You can
stop/resume the play at any point by clicking the Pause/Resume button.
Using the Session Player, you can also play the recorded session starting from a specific point in time.
This feature saves the auditor or administrator from having to review the whole session, as the
recording can be played from the exact time that the specific action performed by the user is of
particular interest.
Replaying a Recorded Session

To replay the entire recorded session from start to finish
In the Activities View of the Server Diary or User Diary, click the
or
video icon to the right
of the required session. For more information, see "Activities View" under Server Diary or User
Diary.
The Session Player is launched in a new browser window, and you can begin viewing the recorded
session.
Note: If the selected session is a Windows session, the Windows Player will open; if the selected
session is a Unix session, the Unix Player will open.
To begin playing the recorded session starting from a specific point in time
1) In the Activities View of the Server Diary or User Diary, expand the user session you are
interested in by clicking the [+] sign to the left of the session. For more information, see "Activities
View" under Server Diary or User Diary.
2) Review the textual transcript of the applications, files, or window titles that the user accessed, or
the user input that the user entered during the session, and find the specific action that has
particular interest.
3) Click the icon to the right of the user action.
The Windows or Unix Session Player is launched in a new browser window, and you can begin
viewing the recorded session from the point in time when the user action was performed.
Note: You can also begin playing a recorded session from a specific point in time from the Session
Player itself.
31
Windows Session Player

The Windows Session Player allows you to replay recorded Windows user sessions. The Session
Player is launched in a separate browser window, when a user clicks the
or
video icon next to
a Windows session recording in the Activity View of the Server Diary or User Diary.
32
Note: You can resize the Session Player window and maximize the screen.
By clicking the
icon, you can open the User Activities List which displays the window titles of all
the applications, files, and windows that the user accessed during the session. Each window title may
comprise a number of slides. To hide the User Activities List, click
The Session Player plays the recorded session starting from the first slide, and throughout the entire
recording until it reaches the last slide. You can also click on a window title in the User Activities list
in order to play the recorded session directly from that point onwards. You can stop/resume the play
at any point by clicking the Pause/Resume button.
When the Session Player opens, an integrity check is run on the images in the session. If a session was
tampered with, a warning icon will be displayed in the lower part of the Player. For example, the
following warning would appear if a screenshot was deleted from the session:
.
Note that an integrity check is only run if the "Enable Session Integrity" check box was selected in the
Security tab of the "Configuration" > "Security" page.
Viewing Activity Alerts in a Session Replay

While replaying a recorded session, you can watch the session video for activity alert(s). If any alerts
occurred on the session, an alert indication
is displayed on the timeline bar and also on the user
activity (in the User Activities list) that triggered the alert. By clicking the alert indication icon, you can
see full details about the alert.
Metadata Sessions
User activities that are preconfigured to record only textual metadata about specific applications are
identified by an
icon in the Activity View of the Server Diary or User Diary. If the session you are
replaying is a "metadata-only" session or includes "metadata-only" applications, the Session Player
will display a screenshot with a white background and text indicating that it is an ObserveIT
Metadata-Only Policy (as shown below).
Note: Only recorded slides (images) will appear in the User Activities List even if the session is a mix
of "metadata-only" policies and application/URL recordings.
33
Session Player Buttons

The VCR-like buttons, in the lower left part of the Session Player, enable you to quickly pause,
resume, rewind, or fast forward, the playing of the slides. The functions of these buttons are as follows
(from left to right):
Rewind to the previous slide in the current window title
Rewind to the previous window title
Rewind to the previous slide
Pause/Resume play
Forward to the next slide
Forward to the next window title
Forward to the next slide in the current window title
Session Player Icons

The following icons appear in the lower right part of the Session Player enabling you to:
If alerts were generated for a session, display or hide the alert details for
each alert.
Lock a session (only available if you are viewing a Windows Live Session
recording). See "Real-Time Playback Mode" below.
Send a message to the user during a live session (only available if you are
viewing a Windows Live Session recording). See "Real-Time Playback
Mode" below.
View a slide in its original image proportion that was captured by the
Agent. Clicking the icon again returns the image to the Session Player
resolution.
Export the entire current recording or selected slides to an HTML file. See
"Exporting the Session to an HTML File" below.
Create an offline copy of the recording. You can save the entire recording
or select specific slides to save.
Exporting the Session to an HTML File

To save the session recording or specific slides to an HTML file
1) Click the HTML
34
icon in the Session Player.
2) Specify the slides you want to export, or select "All slides" to export the entire recording.
Note: You can still export a session even if an integrity check provided a warning that some slides
are missing.
3) Select the required image size. Options include:
Original (Recorded): The size of the image when it was captured by the Agent.
1000 px wide (A4 Landscape): Image width of 1000 pixels and height proportional to the
width.
720x520 px (A4 Portrait): A fixed image size of 720 pixels width and 520 pixels height.
4) Enter a name for the session.

5) Click "Export to HTML".
The exported slides will be displayed in a scrollable HTML Viewer according to the selected image
size, as shown in the following example (720x520 px).
35
Windows Session Player Additional Features

The "Speed" slider enables you to speed up or down the session playback.
The timeline bar above the VCR-like buttons shows the replay progress, also indicating the
current slide's window title and the time it was recorded. By clicking the bar, you can jump
directly to a specific slide.
The text area above the timeline displays the following information:
The title of the window that is currently viewed in the recorded session, and the number of the
slide that is currently displayed on the Player out of the number of slides that have the same
window title.
The date and time that the action was performed, and the number of the currently displayed
slide out of the total number of slides in the session.

The appearance of a "Signature not verified" watermark indicates that not all the images stored in
the database are currently digitally signed and protected. In order to secure images in the
database, you must obtain a digital certificate for the Application Server, and then enable image
security on the certificate.
Real-Time Playback Mode

In the Server Diary and User Diary views, the appearance of this
icon in the sessions list indicates
that a user session is still live on that server, and that a user is currently logged on to the server.
Clicking the icon will launch the Session Player in real-time replay mode. In this mode, the Session
Player will immediately begin replaying the latest user activity in the required session. Real-time
replay causes the Session Player to automatically refresh as the user performs actions, clicks, or types
in their session. This means that the Session Player is constantly receiving updates from the ObserveIT
Application server, and even though the viewer appears to have reached the end of the recorded
session, it will still display captured screenshots as they are being recorded on the server.
In real-time replay mode, you can also do the following:
Interrupt the playback by sending a message to the user. During an ObserveIT live recording, if an
unusual session is noticed on one of the servers, the ObserveIT administrator can send a message
to the users desktop, and request the user to acknowledge that he read the message. Note that if a
reply is configured as mandatory, the user must enter a text reply in addition to acknowledging
the message. Note also that if the message is configured to block the screen (it cannot be ignored
or dragged to the corner of the screen), the user will be forced to respond to the message in order
to carry on working.
Note: These features are supported only on Windows Agents that are running ObserveIT version
5.6.0 and above. They are not supported on Unix or Linux Agents, or on Agents that are running
ObserveIT versions prior to 5.6.0.
Lock a session. During the replay of a live session, if the Administrator wants to prevent the user
from continuing to record the current session, he can send a message to the user and lock the
users desktop after a specified timeout period (seconds).
Note: The "lock session" feature is supported only on Windows Agents that are running ObserveIT
version 5.6.0 and above. It is not supported on Unix or Linux Agents, or on Agents that are
running ObserveIT versions prior to 5.6.0.
36
To send a message to a user during real-time playback

1) During a live session recording in the Server Diary or User Diary view, click the
the relevant user session.
icon next to
The Session Player opens in real-time replay mode, and begins playing the latest user activity in
the session.
2) When the Player reaches an action that you want to interrupt by sending a message to the user,
click the Message
icon in the lower part of the Viewer.
A message dialog box opens, enabling you to send a message.
3) Enter your message text (or edit the default text), and then click the "Send" button.
4) When the message is received, the user must select "I Acknowledge", as shown in the following
example:
5) If a reply is configured as mandatory, the user must enter a text reply in addition to
acknowledging the message.
6) The user clicks "Finish" to acknowledge the message.
37
Note that you can view "live" messages in the Server Diary or User Diary session details (by clicking
the [+] sign), as shown in the following example:
To lock a user session during real-time playback

1) During a live session recording in the Server Diary or User Diary view, click the
the relevant user session.
icon next to
The Session Player opens in real-time replay mode, and begins playing the latest user activity in
the session.
2) When the playback reaches a point at which you want to lock the session, click the Lock Session
icon in the lower part of the Player.
3) In the message dialog box that opens, specify the timeout period of time (seconds) after which the
session will be locked, enter your required message text, and click "Send".
38
The user will receive a message, as shown in the following example:
The desktop will be locked after the specified timeout period. Note that only the desktop is locked;
no data will be lost and no application closed. After the timeout period, the user can acknowledge
the message and continue working.
Note: You can view "lock session" messages in the Server Diary or User Diary session details.
39
Unix Session Player

The Unix Session Player allows you to replay recorded Unix user sessions. The Session Player is
launched in a separate browser window, when a user clicks the
or
video icon next to a Unix
session recording in the Activity View of the Server Diary or User Diary.
The Unix Session Player supports multiple languages and font colors. The administrator who replays
the session will see the session exactly as it appeared to the user who logged in to the server.
Note: Unicode UTF8 and standard ASCII character encoding are supported for the recording and
replaying of Unix sessions.
40
By clicking the
icon, you can open the User Activities list which displays text files of all the user
input commands and system calls that were generated during the recorded session. To hide the User
Activities list, click
The Unix Session Player plays the recorded session starting from the first frame (text file), and
throughout the entire recording until it reaches the last frame. You can also click on an "activity" in the
list in order to play the recorded session directly from that point onwards. You can stop/resume the
play at any point by clicking the Pause/Resume button.
Note: A "live" Unix session is automatically replayed starting from the last frame (i.e., the point where
you clicked the
clicking the
video icon). You can change the order of playback to start from the beginning by
button.
The VCR-like buttons, in the lower part of the Session Player, enable you to quickly pause, resume,
rewind, or fast forward, the playing of the frames. The functions of these buttons are as follows (from
left to right):
Play the session from the beginning (first frame)
Rewind to the previous user activity
Rewind to the previous frame
Pause/Resume play
Forward to the next frame
Forward to the next user activity
Viewing Activity Alerts in a Session Replay

While replaying a recorded session, you can watch the session video for activity alert(s). If any alerts
occurred on the session, an alert indication
is displayed on the timeline bar and also on the user
activity (in the User Activities list) that triggered the alert. By clicking the Bell icon
in the lower
right part of the Session Player, you can show or hide the display of the details for each alert.
Unix Session Player Additional Features

The timeline bar above the VCR-like buttons shows the replay progress, also indicating the
current frame's activity and the time it was recorded. By clicking the bar, you can jump directly to
a specific frame.
The "Speed" slider enables you to speed up or down the session playback.
The icons in the lower right part of the Session Player enable you to zoom in
and zoom out
the current frame in order to enlarge or reduce the displayed text.

By clicking the
icon in the lower right part of the Session Player, you can export the Unix
session output to a text file for offline usage.
41
ObserveIT Key Logging

ObserveIT Key Logging is supported on Windows and Unix-based operating systems.
Corporate key loggers track and record an employee's computer activity for the purposes of
monitoring, root cause analysis, forensic investigation and regulatory auditing. Traditional Key
Logging software programs monitor each keystroke that users type on the keyboard. The keystrokes
are recorded and indexed, so that they can be searched for and displayed to the end user in simple
reports. However, traditional key loggers can capture only what the user has typed; they do not
provide context information or the ability to see video session recordings of user activity.
In contrast, ObserveIT's key logger generates and replays video recordings of all on-screen user
activity, including every key press and mouse click. Any portion of any recording is directly accessible
via key word search in the ObserveIT Web Management Console (from the Search tab, Server Diary,
User Diary, or Archive Search). You can jump directly to relevant portions of recordings by searching
for particular activities based on text entries, launched programs, opened windows, system
commands executed, etc. ObserveIT's key logger records and enables you to search for specific text
entries made anywhere in the system, whether by typing, editing, keyboard shortcuts, auto-complete
or even copy and paste via the Windows clipboard.
The visual replay of user sessions is provided by the ObserveIT Session Player. For information about
using the ObserveIT Session Player, see Replaying User Sessions.
Note: In order to use ObserveIT's key logger for Windows, the "key logging" feature must be enabled
in the Server Policies settings of the ObserveIT Web Management Console. Key logging capabilities
are always available on Unix machines.
Key Logger Data Encryption

By default, all data that is captured by the ObserveIT key logger on Windows systems is encrypted by
using the SHA256 with asymmetric "salt" hashing algorithm. ObserveIT supports case-sensitive search
matching complete words even on data that is stored encrypted.
However, if you want to retrieve data from the database in its original content form, you can disable
the data encryption. For instructions, please contact ObserveIT support.
The following topics describe ObserveITs Key Logger for Windows and Unix-based operating
systems:
Windows Key Logger
Unix Key Logger
Windows Key Logger

In addition to capturing every keystroke, the ObserveIT key logger for Windows-based operating
systems can capture values that aren't even typed using the keyboard, such as:
1) The context of the text that was captured, such as a description label of the input control of the
text.
2) Changed field values that are selected from drop-down lists (see below for an example of this
scenario).
3) Changed check box selections using the mouse.
4) Changed numeric values using clicks.
42
5) Final text values after correction by using the <Backspace> or <Delete> key.
6) CMD commands made using shortcuts, such as, tabs and Up/Down arrows.
7) Editing: If the user edits the text within a control, both the old value and the new value of the text
are captured.
8) Partial typing: Even if only one character within a block of text is changed, the entire text
including the new character is captured.
9) If the Auto-Complete option is selected when the user is typing or if a spell checker is used, the
key logger can capture the entire text.
10) PowerShell and Putty: Capture the user's commands as well as the output of Windows PowerShell
or Putty client.
The visual replay of user sessions is provided by the ObserveIT Session Player. For information about
using the ObserveIT Session Player for Windows sessions, see Windows Session Player.
Windows Key Logging Scenario Example

The following example illustrates how the ObserveIT text logger captures a changed field value that
was selected from a drop-down list. In this example, the user changes the .NET Framework version of
an application pool on the server.
1) In the Edit Application Pool dialog box, the currently selected .NET Framework version is ".NET
Framework v2.0.50727".
43
2) The user selects ".NET Framework v4.0.30319" from the ".NET Framework version" drop-down
list, and clicks "OK".
The key logger will capture the new text selection including the context (i.e., the description label
of the drop-down list).
3) When the user performs a search for this activity by entering a keyword, such as "framework", in
the metadata search of the Web Management Console, the list of relevant sessions will include the
"Edit Application Pool" session.
44
4) By clicking on the video icon of this session, or expanded session, the Session Player will open and
replay the session. The user will be able to see the exact change that was made, within its context.
Unix Key Logger

When using ObserveITs Key Logger on Unix systems, the Unix Monitor records user activity in any
interactive shell running on the machine, and transfers the data to the ObserveIT Management Server.
Recording begins whenever a user starts any interactive session on the system, whether remotely (via
Telnet, SSH, rlogin, etc.) or locally via a console login.
Note: The visual replay of user sessions is provided by the ObserveIT Session Player. For information
about viewing and replaying recorded user activities in Unix sessions, see Unix Session Player.
The ObserveIT Unix Agent captures important OS level information (such as, open, fork, unlink) about
each user command, by capturing the resources that are affected and any system functions that are
made by each command. All the internal actions and names of files and resources that are affected by
command line operations are captured.
In addition to capturing all internal actions and names of files and resources affected by command line
operations, the ObserveIT Key Logger for Unix-based operating systems can record:
All interactive shell logins to the system, whether via SSH, Telnet, local console or any other
connection method.
The data stream to and from the terminal on which the login took place.
Each command line activity on the system.
Every activity displayed on the screen is visually recorded, including user input and screen
output.
System calls that were triggered by the command line or script that was executed by the user.
Every file create, delete, open, permission change, process creation, and link creation action, is
fully exposed. For example: If the user runs an alias script named innocentScript that includes
system calls to delete files and change user permissions, this information will also be captured.
Each file or resource affected by a user command is captured. For example: If the user types rm
*.txt, ObserveIT will show the exact name of each file that was deleted.
45
Threat Detection Console

ObserveIT continuously monitors activities in the system, enabling IT administrators to deal
proactively with any unauthorized activity that could indicate the presence of a threat. ObserveIT's
Threat Detection Console provides at-a-glance graphical charts and reports of the status and trends of
ObserveIT activity, enhancing the ability to discover potential security problems or threats.
You can view the Threat Detection Console and configure its settings in the "Threat Detection" tab of
the Web Management Console.
46
The following topics describe in detail the type of information that you can view in the Threat
Detection Console, and how to configure Threat Detection chart settings:
Viewing Threat Detection Information
Configuring Threat Detection Chart Settings
Viewing Threat Detection Information

The Threat Detection Console provides the following charts that show the status and trends of
ObserveIT activity:
Night and Weekend Activity
Most Active computers Now
Infrequently Used Applications
Infrequently Used Computers
Infrequently Used Login IDs
Leap Frog Logins
Remote Access Sessions

The "Night and Weekend Activity" chart helps you to identify any potentially unauthorized or
malicious logins to the monitored computers. It shows the number of unique user-to-computer logins
which occurred outside regular working hours, by date. Regular working hours/days are defined in
the Chart Settings tab (see Configuring Threat Detection Chart Settings).
Note the following:
"User-to-computer" logins do not refer to the total number of user logins. For example, if a user
logged in 3 times to computer X and 5 times to computer Y, the chart will show 2 logins, not 8.
By clicking the
icon, you can change the display of the chart according to day/week/month.
By clicking on a bar in the chart, you can see the number of logins that occurred on that date.
47
Most Active Computers Now

This chart enables you to see which computers are most active (i.e., running the most sessions) at the
current time. Click the Refresh
icon to update the display.

This chart can help to identify any potentially malicious applications that are running on the
monitored computers.
It lists the applications that were used by the least number of users (by login ID) during the specified
date range.
Note: Even if a user ran an application more than once, it will only be counted as one instance.
48

This chart can help to identify suspicious use of a computer.
It lists the monitored computers that were used for the least number of sessions during the specified
date range.

This chart can help to identify the suspicious use of a login ID.
It lists the login IDs that were used for the least number of sessions during the specified date range.
49
Leap Frog Logins

This chart can help to identify potential unauthorized access to a second computer via permitted
access to a first computer.
The "Leap Frog Logins" chart lists the instances in which a user logged in from one monitored
computer to another, during a specified date range. The Login ID is used to access the source
computer (Computer 1), which connects to a second computer (Computer 2), which can connect to a
subsequent computer, and so on.
Note: All computers that participate in "Leap Frog Logins" must belong to the same domain.
Remote Access Sessions

This chart can help to identify users who are not authorized to access other computers remotely.
It lists the remote access sessions that were initiated by a user from a monitored computer during the
specified date range.
50
Configuring Threat Detection Chart Settings

In the Chart Settings tab, you can configure settings for information that is displayed in the Threat
Detection Console charts. See Viewing Threat Detection Information.
You can configure settings for the following charts:

Chart
Settings
Specify the working days and hours outside which any user logins
will be displayed in the "Night and Weekend Activity" chart.
Select the regular working hours time range from the drop-down
lists, and any additional days of the week to the default "Monday
to Thursday" regular working days.
Provide a number that configures the number of times below

which "infrequently used applications" were used.

which "infrequently used computers" were used.

which "infrequently used Login IDs" were used.
51
Reports
The Reports view in ObserveIT's Web Management Console provides aggregated or summary
information about server and user activity. The feature-rich reports generator can be used by novice
administrators to generate reports based on preconfigured built-in reports, or by experienced
administrators and security auditors who require flexible application usage reports and trend analysis
reviews. Experienced administrators and security auditors can also create comprehensive customized
reports based on their own requirements.
ObserveIT provides two types of predefined reports:
Custom reports. These are sample reports which you can run, schedule, copy, edit, and delete.
You can also manually create new custom reports from these reports.
System reports. These are built-in reports which you can run, schedule, and copy, but you cannot
edit or delete them.
You can run a report by clicking the "Run" link next to the report. Within a short time (depending on
the type and range of report), the report is generated. The results can be viewed in a separate window,
printed, and the information exported to an Excel spreadsheet. You can also schedule reports to run at
specific intervals, and the results can be emailed to SMTP aliases that need to review them. The
following is an example of a typical reports list.
52
Reports
Report Types
You can generate custom reports based on the following types of information:
Servers (for example, user activity on a specific server within a specified time period).
Users (for example, users sessions grouped by login name).
Applications (for example, applications that were used on monitored servers grouped by
application name).
Commands (for example, commands entered on a specific date grouped by session title).
Comments (for example, all new comments to sessions during the last 24 hours).
Messages (for example, messages displayed to all users who logged on to a specific server).
Tickets (for example, all sessions that are related to a specific ticket number).
Audit Logins (logins to the Web console), Audit Sessions (recorded sessions playback), and Audit
Saved Sessions (recorded sessions that were exported).
Note: Sample (custom) reports can be edited and customized according to customer requirements.
Examples of system reports include:
Activities Report -All user sessions on all monitored servers in the past 48 hours.
Daily Applications Report - All applications that were accessed in the past 48 hours on all
monitored servers, including the user names who accessed them.
Terminated Session List - Terminated session list - notification to the administrators. Note that this
built-in report differs from the other reports (system, custom, or manually created) because it
cannot be scheduled to run at specific intervals. The report is automatically sent when an Agent
session is abruptly terminated.
Note: Built-in (system) reports cannot be edited or deleted.
53
About the Current ObserveIT Installation

To display information about the current ObserveIT installation, click the "About" link in the upper
right corner of the ObserveIT Web Console.
Installation Folder, usually C:\Program Files\ObserveIT\Web\ObserveIT\bin.
ObserveIT Web Console version.
TCP port used by the Agents to connect to the Application Server, usually 4884.
Name of the SQL Server used for the ObserveIT database.
ObserveIT support: http://www.observeit.com/Support.
ObserveIT Website URL: http://www.observeit.com).
54

Observeit User Guide v5.7

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Observeit User Guide v5.7

Transféré par

Droits d'auteur :

Formats disponibles

ObserveIT User Guide

Copyright (c) 2014 ObserveIT Ltd.

About This Document

About This Document