Académique Documents
Professionnel Documents
Culture Documents
Version 5.7
Contents
About This Document ..................................................................................................................................... 3
Web Management Console ............................................................................................................................ 4
Recording User Sessions ................................................................................................................................. 8
Server Diary.................................................................................................................................................... 11
User Diary....................................................................................................................................................... 20
Free Text Search ............................................................................................................................................. 25
DBA Activity .................................................................................................................................................. 27
Replaying User Sessions ............................................................................................................................... 31
Windows Session Player ......................................................................................................................... 32
Unix Session Player ................................................................................................................................. 40
ObserveIT Key Logging ................................................................................................................................ 42
Windows Key Logger .............................................................................................................................. 42
Unix Key Logger ...................................................................................................................................... 45
Threat Detection Console ............................................................................................................................. 46
Viewing Threat Detection Information ................................................................................................. 47
Configuring Threat Detection Chart Settings ...................................................................................... 51
Reports ............................................................................................................................................................ 52
About the Current ObserveIT Installation ................................................................................................. 54
An Internet Explorer window will open, prompting you to log in to the Web Management console.
Internet Explorer 7 users might get a message asking about whether they want to turn the
automatic Phishing Filter on or off.
2) Select the setting you want to keep, and click "OK".
3) If this is your first time using the ObserveIT Web Management Console, you will be prompted to
change the default "Admin" password.
Important: Passwords are CASE sensitive. Select a password that is strong enough to prevent
casual guessing or other brute force attacking, making it at least 6 characters long, and with a
combination of lower case, upper case, numbers and other characters. Make sure you remember
this password or write it down in a safe place, as without it you will not be able to log on to the
ObserveIT Web Management Console. This password CANNOT be recovered in any way.
4) Enter your password and confirm it, then click "Enter". Your new password will be set. Use this
user name and password to gain access to the ObserveIT Web Management Console from any
computer.
If this is not the first time you are using the ObserveIT Web Management Console, the login screen
will appear.
2) Click the default "Admin" Console User in the Console Users list to display the User Details page.
As soon as a user logs on to one of the monitored computer(s), all their actions will be recorded. You
can customize the way these actions are recorded.
After sessions are recorded, you can review the recorded data, replay sessions, generate reports, and
more. You can find these recorded sessions by using either the Server or User diaries, the Search
option, or by running Reports. More information about how to use these features is described in this
user guide.
After you find the session you are interested in, you can click the
icon next to the user session to
launch the ObserveIT Session Player, from which you can replay the entire recorded session. The
VCR-like buttons in the Session Player enable you to pause, resume, rewind, or fast forward, the
playing of the slides. From the Windows Session Player, you can also save sessions for offline viewing.
For more information, see Replaying User Sessions.
10
Server Diary
Server Diary
The Server Diary opens by default when you log on to the Web Management Console. The Server
Diary provides information about all activities that occurred on every monitored server and
computer.
The Server Diary provides the following views:
Activities
Applications
Inventory
Software
Search
Messages
11
Activities View
The default Server Diary view is the Activities View which shows who did what on the selected
server up to the specified date and time. The Activity View automatically displays the last server
accessed with the default date filter, enabling you to see who last accessed a specific server and view
their actions. The Activities View also lists all user sessions in reverse chronological order, so that new
sessions appear at the top of the session lists, making them easy to identify.
12
Server Diary
Note: If any SQL Server queries were performed on a session, they will be displayed at the end of the
session. For more information, see DBA Activity.
The Login Sessions list is displayed in reverse chronological order for the selected server. The and
icons allow you to easily determine if the server you are viewing runs a Windows-based or Unixbased operating system. Each entry represents a user session. A user session begins at the time the
user logs on, and ends when the user logs out or after a predefined period of inactivity (the default is
15 minutes, but you can change this in Configuration > Server Policies > Server Policy Template). The last
activity performed by the user in the session is reflected in the "Session Duration". Each session entry
provides the date, duration, the login name (which is the user account used in the Windows logon
process), the actual user name (provided by ObserveIT's Identification Services), the name of the
computer from which the connection was made, the number of slides in the session, and a "Video"
icon.
Clicking the
Video icon next to a user session launches the ObserveIT Session Player, which
replays the entire recorded session from beginning to end (for details, see Replaying User Sessions).
However, replaying entire sessions is a time consuming process and might prove to be irrelevant to
the problem youre trying to troubleshoot. To make this task easier, ObserveIT lets you expand
sessions by clicking on the [+] sign, and view a textual breakdown or transcript (similar to DVD
chapters) of all the applications, files, and window titles that the user accessed during the session. You
can replay a session from any point in time (or action) by clicking the Video
icon at the right of the
required expanded session item. Thus, within seconds, you can determine the applications that were
used, the actions that were performed by the user, and the relevance of the session to your
troubleshooting process.
Notes
A
icon appearing in the sessions list indicates that a user session is still live, and that a user is
currently logged on to the server. Clicking this icon will launch the Session Player in real-time
replay mode.
The appearance of a
warning icon next to a "Slides" number indicates that the session was
tampered with, and could be corrupted. For example, this icon would appear if a screenshot was
deleted from a recorded session. Note that the warning icon will only be displayed if the "Enable
Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security"
page.
The appearance of an alert indication
next to a session shows that one or more activity alerts
were generated during the session. Clicking the alert indication opens a popup dialog showing
the alert(s). For example:
By clicking "View All", you can jump directly to the Activity Alerts page showing the list of
session alerts.
13
14
Server Diary
3) In the "Session Comment" dialog box that pops up, enter your comment, and then click "Save".
Your comment will appear in the session's expanded list of applications, files, and window titles.
Note: You can repeat this procedure for as many comments as you want to add. Each comment
will appear as a separate entry.
Applications View
The Applications View enables you to view a list of all the applications, resources, registry paths,
Internet Explorer URLs, and so on, that were accessed on the specified server. This view is useful if
you have many recorded sessions and you do not want to review each session, but prefer to see what
resources, such as applications, files and directories, that were accessed on the server. These resources
are displayed in reverse chronological order for the selected server, making the latest sessions easy to
identify.
button and select the server name from the Server List pop-up window.
15
Note that you can click on the [+] sign next to an application for more details, and click the Video
icon to open the Session Player in order to replay the selected item.
Inventory View
The Inventory View displays a list of the resources (hardware and software) on the specific server.
This information is gathered from the server and displayed for your convenience. The information is
read-only and cannot be changed.
16
button and select the server name from the Server List pop-up window.
Server Diary
Software View
The Software View displays a list of the software that is currently installed on the specific server. This
information is gathered from the server and displayed for your convenience. The information is readonly and cannot be changed.
button and select the server name from the Server List pop-up window.
If a software or program is installed on the server after the ObserveIT Agent was installed, a
icon
will appear next to the software name, allowing you to replay and view that software's installation
process. This link only appears for programs that were installed after the ObserveIT Agent was
installed. Clicking the "Search" link next to a program or software will open up a Google search page
with results related to that program or software.
Search View
The Search View is useful for performing search operations against a particular server name. You can
perform Google-like searches based upon words that are important, such as "registry", "notepad",
"delete", and so on. Results are displayed in such a way that lets you see the context of the action and
why they are returned as a result.
17
4) Enter the string you are looking for, and then click the "Search" button to run the search.
Notes
After running your search, you can also do the following:
Expand the results by clicking the [+] sign in order to view a textual breakdown of the search
results, clearly showing you the context in which the application or user action was performed.
Add comments to specific sessions in the search results, by clicking the [+] sign next to the
relevant session, and then clicking the "Add Comment" link (as described in "Adding Comments to
Sessions" above).
Click the Video
user action.
Messages View
ObserveIT enables you to create and configure messages that will be displayed when a user logs on to
one or more servers. These messages can include information for users, instructions, requests to
perform specific tasks, contact information in case of software or hardware issues, and more. You can
configure messages to be displayed on all servers, on specific servers, for all users logging on to these
servers, or just for some users. You can create and configure messages in the Configuration > Messages
page.
In the Messages View of the Server Diary, you can see all the messages that were displayed on a
server.
18
Server Diary
19
User Diary
The User Diary is the second tab in the Web Management Console. The User Diary provides three
views:
Activities View
Applications View
Search View
Activities View
The default User Diary view is the Activities View which provides information about all user activities
on every monitored server and computer. Each time a user logs into a monitored server, all actions
performed by that user are captured as screenshots, and metadata is collected about the applications,
registry settings, and files that the user accessed. The User Diary is used to see all of this activity by a
particular user across all servers.
The User Diary automatically displays all the latest user sessions from all the monitored computers,
with the default date filter, listing all user sessions in reverse chronological order. This means that
new sessions appear at the top of the session lists, making them easy to identify.
20
User Diary
21
By clicking "View All", you can jump directly to the Activitity Alerts page showing the list of
session alerts.
The appearance of a
warning icon next to a "Slides" number indicates that the session was
tampered with, and could be corrupted. For example, this icon would appear if a screenshot was
deleted from a recorded session. Note that this warning icon will only be displayed if the "Enable
Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security"
page.
The number that appears to the right of a program or file name in the expanded textual transcript
is the number of instances in which the same program or file name appeared in that particular
session.
the user.
22
User Diary
3) In the "Session Comment" dialog box that pops up, enter your comment, and then click "Save".
Your comment will appear in the session's expanded list of applications, files, and window titles
that the user accessed during the session.
Note: You can repeat this procedure for as many comments as you want to add. Each comment
will appear as a separate entry.
23
Applications View
The Applications View enables you to view a list of all the applications, resources, registry paths,
Internet Explorer URLs, and so on, that were accessed by the specified user login. This view is useful if
you have many recorded sessions and you do not want to review each session, but prefer to see what
resources, such as applications, files and directories, that were accessed by the user. These resources
are displayed in reverse chronological order for the selected user, making the latest sessions easy to
identify.
Search View
The Search View is useful for performing search operations against a particular user login. You can
perform Google-like searches based upon words that are important, such as "registry", "notepad",
"delete", and so on. Results are displayed in such a way that lets you see the context of the action and
why they are returned as a result.
Note: You can also add comments to specific sessions in the search results, by clicking the [+] sign next
to the relevant session, and then clicking the "Add Comment" link (as described in "Adding Comments
to User Sessions" above).
24
ticket's unique reference number in order to quickly locate all sessions related to the ticket.
"Application" - enables you to search for keywords in all applications that were used.
"Alert ID" - enables you to search for sessions that have activity alerts according to their ID.
The displayed results include information regarding the users login, the server, and the date.
25
Notes
You can expand the user session in which you are interested by clicking the
to the left of the
user session. You can read through the textual transcript and find the user action that is of
interest.
Sessions that contain an alert are displayed with an alert indication
session to see exactly which slide has the alert.
If any SQL Server queries were performed on a session, they will be displayed at the end of the
session. For more information, see DBA Activity.
You can add comments to specific sessions in the search results, by clicking the next to the
relevant session, and then clicking the "Add Comment" link. In the "Session Comment" dialog box
that pops up, enter your comment, and click "Save". Your comment will appear in the session's
expanded list of user actions. You can add as many comments as you want. Each comment will
appear as a separate entry.
Clicking the
icon next to the user session will launch the ObserveIT Session Player, and begin
replaying the entire recorded session from beginning to end. The replay can be paused, resumed,
fast forwarded or rewound, and zoomed in or out. From the Session Player, you can also save
sessions for offline viewing.
You can filter the results to display specific user sessions by selecting the user's name from the
Login/User" drop-down list. This list includes every user name (or login) that used the specific
application or resource.
You can also filter the view to display results for one specific server by selecting the server's name
from the Server drop-down list. This list includes every server name that was used for the
specific application or resource.
26
DBA Activity
DBA Activity
In the DBA Activity tab of the ObserveIT Web Management Console, you can monitor all SQL queries
that were executed by DBAs against production databases. This feature requires all DBAs that you
would like to record to connect through a Windows gateway, on which the ObserveIT Agent is
installed and a DB management tool application is being used.
ObserveIT supports the following database management tool applications:
Microsoft SQL Server Management Studio 2005, 2008
Note: All versions of Microsoft SQL Server Management Studio Express (SSMSE) are currently not
supported.
Toad for Oracle 11.6
SQL*Plus 11.2.0.1.0
The following example illustrates how SQL queries are captured by ObserveIT:
1) A user opens a remote RDP connection to the gateway in order to perform an SQL query.
2) The ObserveIT Agent captures the SQL query using the database management tool application on
the gateway.
27
2) To change the criteria for the SQL queries display, click the [+] sign next to "Filters" to expand the
search fields.
28
DBA Activity
Specify the search criteria according to which you want to perform an SQL Server query, as
follows:
In the "Database" field, specify the required database (or click the
a list of databases).
In the "Server" field, specify the server to which the user is logged in (or click the
button
button to select
button to select it
icon next to the SQL query whose details you want to view.
29
Note: From this window, you can also view a video of the selected SQL query session by clicking
the "Session video"
icon.
icon to the right of the SQL query you are interested in.
The ObserveIT Session Player opens, enabling you to replay the entire recorded session. For more
information, see Replaying User Sessions.
30
To begin playing the recorded session starting from a specific point in time
1) In the Activities View of the Server Diary or User Diary, expand the user session you are
interested in by clicking the [+] sign to the left of the session. For more information, see "Activities
View" under Server Diary or User Diary.
2) Review the textual transcript of the applications, files, or window titles that the user accessed, or
the user input that the user entered during the session, and find the specific action that has
particular interest.
3) Click the icon to the right of the user action.
The Windows or Unix Session Player is launched in a new browser window, and you can begin
viewing the recorded session from the point in time when the user action was performed.
Note: You can also begin playing a recorded session from a specific point in time from the Session
Player itself.
31
32
Note: You can resize the Session Player window and maximize the screen.
By clicking the
icon, you can open the User Activities List which displays the window titles of all
the applications, files, and windows that the user accessed during the session. Each window title may
comprise a number of slides. To hide the User Activities List, click
The Session Player plays the recorded session starting from the first slide, and throughout the entire
recording until it reaches the last slide. You can also click on a window title in the User Activities list
in order to play the recorded session directly from that point onwards. You can stop/resume the play
at any point by clicking the Pause/Resume button.
When the Session Player opens, an integrity check is run on the images in the session. If a session was
tampered with, a warning icon will be displayed in the lower part of the Player. For example, the
following warning would appear if a screenshot was deleted from the session:
.
Note that an integrity check is only run if the "Enable Session Integrity" check box was selected in the
Security tab of the "Configuration" > "Security" page.
Metadata Sessions
User activities that are preconfigured to record only textual metadata about specific applications are
identified by an
icon in the Activity View of the Server Diary or User Diary. If the session you are
replaying is a "metadata-only" session or includes "metadata-only" applications, the Session Player
will display a screenshot with a white background and text indicating that it is an ObserveIT
Metadata-Only Policy (as shown below).
Note: Only recorded slides (images) will appear in the User Activities List even if the session is a mix
of "metadata-only" policies and application/URL recordings.
33
34
2) Specify the slides you want to export, or select "All slides" to export the entire recording.
Note: You can still export a session even if an integrity check provided a warning that some slides
are missing.
3) Select the required image size. Options include:
Original (Recorded): The size of the image when it was captured by the Agent.
1000 px wide (A4 Landscape): Image width of 1000 pixels and height proportional to the
width.
720x520 px (A4 Portrait): A fixed image size of 720 pixels width and 520 pixels height.
35
slide that is currently displayed on the Player out of the number of slides that have the same
window title.
The date and time that the action was performed, and the number of the currently displayed
36
icon next to
The Session Player opens in real-time replay mode, and begins playing the latest user activity in
the session.
2) When the Player reaches an action that you want to interrupt by sending a message to the user,
click the Message
3) Enter your message text (or edit the default text), and then click the "Send" button.
4) When the message is received, the user must select "I Acknowledge", as shown in the following
example:
5) If a reply is configured as mandatory, the user must enter a text reply in addition to
acknowledging the message.
6) The user clicks "Finish" to acknowledge the message.
37
Note that you can view "live" messages in the Server Diary or User Diary session details (by clicking
the [+] sign), as shown in the following example:
icon next to
The Session Player opens in real-time replay mode, and begins playing the latest user activity in
the session.
2) When the playback reaches a point at which you want to lock the session, click the Lock Session
icon in the lower part of the Player.
3) In the message dialog box that opens, specify the timeout period of time (seconds) after which the
session will be locked, enter your required message text, and click "Send".
38
The desktop will be locked after the specified timeout period. Note that only the desktop is locked;
no data will be lost and no application closed. After the timeout period, the user can acknowledge
the message and continue working.
Note: You can view "lock session" messages in the Server Diary or User Diary session details.
39
40
By clicking the
icon, you can open the User Activities list which displays text files of all the user
input commands and system calls that were generated during the recorded session. To hide the User
Activities list, click
The Unix Session Player plays the recorded session starting from the first frame (text file), and
throughout the entire recording until it reaches the last frame. You can also click on an "activity" in the
list in order to play the recorded session directly from that point onwards. You can stop/resume the
play at any point by clicking the Pause/Resume button.
Note: A "live" Unix session is automatically replayed starting from the last frame (i.e., the point where
you clicked the
clicking the
video icon). You can change the order of playback to start from the beginning by
button.
The VCR-like buttons, in the lower part of the Session Player, enable you to quickly pause, resume,
rewind, or fast forward, the playing of the frames. The functions of these buttons are as follows (from
left to right):
Play the session from the beginning (first frame)
Rewind to the previous user activity
Rewind to the previous frame
Pause/Resume play
Forward to the next frame
Forward to the next user activity
activity (in the User Activities list) that triggered the alert. By clicking the Bell icon
in the lower
right part of the Session Player, you can show or hide the display of the details for each alert.
41
42
5) Final text values after correction by using the <Backspace> or <Delete> key.
6) CMD commands made using shortcuts, such as, tabs and Up/Down arrows.
7) Editing: If the user edits the text within a control, both the old value and the new value of the text
are captured.
8) Partial typing: Even if only one character within a block of text is changed, the entire text
including the new character is captured.
9) If the Auto-Complete option is selected when the user is typing or if a spell checker is used, the
key logger can capture the entire text.
10) PowerShell and Putty: Capture the user's commands as well as the output of Windows PowerShell
or Putty client.
The visual replay of user sessions is provided by the ObserveIT Session Player. For information about
using the ObserveIT Session Player for Windows sessions, see Windows Session Player.
43
2) The user selects ".NET Framework v4.0.30319" from the ".NET Framework version" drop-down
list, and clicks "OK".
The key logger will capture the new text selection including the context (i.e., the description label
of the drop-down list).
3) When the user performs a search for this activity by entering a keyword, such as "framework", in
the metadata search of the Web Management Console, the list of relevant sessions will include the
"Edit Application Pool" session.
44
4) By clicking on the video icon of this session, or expanded session, the Session Player will open and
replay the session. The user will be able to see the exact change that was made, within its context.
45
46
The following topics describe in detail the type of information that you can view in the Threat
Detection Console, and how to configure Threat Detection chart settings:
Viewing Threat Detection Information
Configuring Threat Detection Chart Settings
icon, you can change the display of the chart according to day/week/month.
By clicking on a bar in the chart, you can see the number of logins that occurred on that date.
47
48
49
50
Settings
Specify the working days and hours outside which any user logins
will be displayed in the "Night and Weekend Activity" chart.
Select the regular working hours time range from the drop-down
lists, and any additional days of the week to the default "Monday
to Thursday" regular working days.
51
Reports
The Reports view in ObserveIT's Web Management Console provides aggregated or summary
information about server and user activity. The feature-rich reports generator can be used by novice
administrators to generate reports based on preconfigured built-in reports, or by experienced
administrators and security auditors who require flexible application usage reports and trend analysis
reviews. Experienced administrators and security auditors can also create comprehensive customized
reports based on their own requirements.
ObserveIT provides two types of predefined reports:
Custom reports. These are sample reports which you can run, schedule, copy, edit, and delete.
You can also manually create new custom reports from these reports.
System reports. These are built-in reports which you can run, schedule, and copy, but you cannot
edit or delete them.
You can run a report by clicking the "Run" link next to the report. Within a short time (depending on
the type and range of report), the report is generated. The results can be viewed in a separate window,
printed, and the information exported to an Excel spreadsheet. You can also schedule reports to run at
specific intervals, and the results can be emailed to SMTP aliases that need to review them. The
following is an example of a typical reports list.
52
Reports
Report Types
You can generate custom reports based on the following types of information:
Servers (for example, user activity on a specific server within a specified time period).
Users (for example, users sessions grouped by login name).
Applications (for example, applications that were used on monitored servers grouped by
application name).
Commands (for example, commands entered on a specific date grouped by session title).
Comments (for example, all new comments to sessions during the last 24 hours).
Messages (for example, messages displayed to all users who logged on to a specific server).
Tickets (for example, all sessions that are related to a specific ticket number).
Audit Logins (logins to the Web console), Audit Sessions (recorded sessions playback), and Audit
Saved Sessions (recorded sessions that were exported).
Note: Sample (custom) reports can be edited and customized according to customer requirements.
Examples of system reports include:
Activities Report -All user sessions on all monitored servers in the past 48 hours.
Daily Applications Report - All applications that were accessed in the past 48 hours on all
monitored servers, including the user names who accessed them.
Terminated Session List - Terminated session list - notification to the administrators. Note that this
built-in report differs from the other reports (system, custom, or manually created) because it
cannot be scheduled to run at specific intervals. The report is automatically sent when an Agent
session is abruptly terminated.
Note: Built-in (system) reports cannot be edited or deleted.
53
54