Observeit User Guide v5.7
March 22, 2017 | Author: gabytgv | Category: N/A
Short Description
Download Observeit User Guide v5.7...
Description
ObserveIT User Guide Version 5.7
Copyright (c) 2014 ObserveIT Ltd.
Contents About This Document ..................................................................................................................................... 3 Web Management Console ............................................................................................................................ 4 Recording User Sessions ................................................................................................................................. 8 Server Diary.................................................................................................................................................... 11 User Diary....................................................................................................................................................... 20 Free Text Search ............................................................................................................................................. 25 DBA Activity .................................................................................................................................................. 27 Replaying User Sessions ............................................................................................................................... 31 Windows Session Player ......................................................................................................................... 32 Unix Session Player ................................................................................................................................. 40 ObserveIT Key Logging ................................................................................................................................ 42 Windows Key Logger .............................................................................................................................. 42 Unix Key Logger ...................................................................................................................................... 45 Threat Detection Console ............................................................................................................................. 46 Viewing Threat Detection Information ................................................................................................. 47 Configuring Threat Detection Chart Settings ...................................................................................... 51 Reports ............................................................................................................................................................ 52 About the Current ObserveIT Installation ................................................................................................. 54
About This Document
About This Document After successfully installing ObserveIT, you can begin using it to record and replay user sessions on the monitored servers. This guide covers the basic usage guidelines and is intended for ObserveIT Administrators and Security Auditors. For information about installing ObserveIT, please refer to the ObserveIT Installation Guide. For detailed configuration steps, please refer to the ObserveIT Configuration Guide.
3
ObserveIT User Guide
Web Management Console The ObserveIT Web Management console is the tool you use to replay sessions, perform searches inside the database, and make configuration changes. Using the Web Management Console is simple and intuitive. Across the top of the interface are tabs to select a functional view. Each view has a vertical option menu on the left side of the screen. Below the option menu for all views are quick links to the most recent activity. By default, ObserveIT's server installation will offer to create an additional web site that will be configured to listen to TCP port 4884. When using the default TCP port 4884, use this URL to connect to the ObserveIT Web Management Console: http://servername:4884/ObserveIT where servername is the name or IP of the server where the ObserveIT Web Management Console is installed. When logging on to the Web Console, ObserveIT Console Users enter their credentials in the form of a user name and password. Because this information is transferred through the network in clear text, securing the ObserveIT Web Console access is of high priority. Unless properly secured, this data can be picked up by regular network sniffers. The first and most important step should be to enable SSL on the ObserveIT web site, and to require SSL on the ObserveIT virtual directory, the one used by the ObserveIT Web Management Console.
To log in to the Web Management Console 1) If you are logged in at the console of the server on which the Web Management Console is installed, access it from the "Start" menu under "Programs" > "ObserveIT".
An Internet Explorer window will open, prompting you to log in to the Web Management console. Internet Explorer 7 users might get a message asking about whether they want to turn the automatic Phishing Filter on or off. 2) Select the setting you want to keep, and click "OK".
4
Web Management Console
3) If this is your first time using the ObserveIT Web Management Console, you will be prompted to change the default "Admin" password.
Important: Passwords are CASE sensitive. Select a password that is strong enough to prevent casual guessing or other brute force attacking, making it at least 6 characters long, and with a combination of lower case, upper case, numbers and other characters. Make sure you remember this password or write it down in a safe place, as without it you will not be able to log on to the ObserveIT Web Management Console. This password CANNOT be recovered in any way. 4) Enter your password and confirm it, then click "Enter". Your new password will be set. Use this user name and password to gain access to the ObserveIT Web Management Console from any computer.
5
ObserveIT User Guide
If this is not the first time you are using the ObserveIT Web Management Console, the login screen will appear.
5) Make sure that you enter the correct credentials. Note: If you do not enter the correct username and/or password, you will not be able to login and the following error will be displayed: Invalid credentials. Please try again.
Changing the Default Admin Password To change the default admin password 1) After logging on to the Web Console, open the "Configuration" tab, select the "Console Users" menu option on the left side menu.
2) Click the default "Admin" Console User in the Console Users list to display the User Details page.
6
Web Management Console
3) Enter the new password, confirm it, and click “Update”. 4) Click “Close” to exit the User Details page. A message will be displayed informing you that the update was successful.
7
ObserveIT User Guide
Recording User Sessions After you have successfully installed the server-side components of ObserveIT, and at least one ObserveIT Agent, you can start recording user sessions and replaying them. For each additional machine that needs to be recorded, an ObserveIT Agent must be installed, and proper licenses must be obtained. When running, the ObserveIT Agent tray icon will appear in the tray notification area of the monitored computer(s). This icon can be hidden.
As soon as a user logs on to one of the monitored computer(s), all their actions will be recorded. You can customize the way these actions are recorded. After sessions are recorded, you can review the recorded data, replay sessions, generate reports, and more. You can find these recorded sessions by using either the Server or User diaries, the Search option, or by running Reports. More information about how to use these features is described in this user guide.
8
Recording User Sessions
9
ObserveIT User Guide
After you find the session you are interested in, you can click the icon next to the user session to launch the ObserveIT Session Player, from which you can replay the entire recorded session. The VCR-like buttons in the Session Player enable you to pause, resume, rewind, or fast forward, the playing of the slides. From the Windows Session Player, you can also save sessions for offline viewing. For more information, see Replaying User Sessions.
10
Server Diary
Server Diary The Server Diary opens by default when you log on to the Web Management Console. The Server Diary provides information about all activities that occurred on every monitored server and computer. The Server Diary provides the following views: Activities Applications Inventory Software Search Messages
11
ObserveIT User Guide
Activities View The default Server Diary view is the Activities View which shows “who did what” on the selected server up to the specified date and time. The Activity View automatically displays the last server accessed with the default date filter, enabling you to see who last accessed a specific server and view their actions. The Activities View also lists all user sessions in reverse chronological order, so that new sessions appear at the top of the session lists, making them easy to identify.
To view user sessions that were recorded on a server 1) Enter the required server name in the "Server" text prompt (auto-complete provides a list of matching server names). You can click the button and select the server name from the Server List pop-up window, which displays a list of available servers, including their version information, number of recorded sessions, and the date and time of the last user activity on the server. -OrYou can select the required server from the "Latest Sessions" list on the left of the console, which includes the most recently active sessions. 2) Specify the required time period (Days, Weeks, Months, Years) or specify a date range for your sessions search, and then click the "Go" button. You can also filter the session list to display sessions for "All" logins, "User" logins, or "Administrator" logins. The page refreshes to display a list of login sessions for the selected server.
12
Server Diary
Note: If any SQL Server queries were performed on a session, they will be displayed at the end of the session. For more information, see DBA Activity. The Login Sessions list is displayed in reverse chronological order for the selected server. The and icons allow you to easily determine if the server you are viewing runs a Windows-based or Unixbased operating system. Each entry represents a user session. A user session begins at the time the user logs on, and ends when the user logs out or after a predefined period of inactivity (the default is 15 minutes, but you can change this in Configuration > Server Policies > Server Policy Template). The last activity performed by the user in the session is reflected in the "Session Duration". Each session entry provides the date, duration, the login name (which is the user account used in the Windows logon process), the actual user name (provided by ObserveIT's Identification Services), the name of the computer from which the connection was made, the number of slides in the session, and a "Video" icon. Clicking the Video icon next to a user session launches the ObserveIT Session Player, which replays the entire recorded session from beginning to end (for details, see Replaying User Sessions). However, replaying entire sessions is a time consuming process and might prove to be irrelevant to the problem you’re trying to troubleshoot. To make this task easier, ObserveIT lets you expand sessions by clicking on the [+] sign, and view a textual breakdown or transcript (similar to DVD chapters) of all the applications, files, and window titles that the user accessed during the session. You can replay a session from any point in time (or action) by clicking the Video icon at the right of the required expanded session item. Thus, within seconds, you can determine the applications that were used, the actions that were performed by the user, and the relevance of the session to your troubleshooting process. Notes A icon appearing in the sessions list indicates that a user session is still live, and that a user is currently logged on to the server. Clicking this icon will launch the Session Player in real-time replay mode. The appearance of a warning icon next to a "Slides" number indicates that the session was tampered with, and could be corrupted. For example, this icon would appear if a screenshot was deleted from a recorded session. Note that the warning icon will only be displayed if the "Enable Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security" page. The appearance of an alert indication next to a session shows that one or more activity alerts were generated during the session. Clicking the alert indication opens a popup dialog showing the alert(s). For example:
By clicking "View All", you can jump directly to the Activity Alerts page showing the list of session alerts.
13
ObserveIT User Guide The number that appears to the right of a program or file name in the expanded textual transcript is the number of instances in which the same program or file name appeared in that particular session. Data of all the sessions that are displayed on a particular Server Diary page, and for the detailed textual transcript, can be exported to an external window for easier printing and for usage in Microsoft Excel.
To view statistics about a server in the Server Diary Click the "Server Statistics" link in the Activities View. A window opens displaying statistics about the selected server during the specified time period.
The following information is provided: Login IDs Used - A breakdown of the login IDs that were used to access the server during the
selected time period. User Activity Recorded - The daily number of screen frames that were recorded by ObserveIT
during user sessions on the server.
14
Server Diary
Adding Comments to Sessions In the Activities and Search Views of the Server Diary, you can add comments to specific sessions, if required.
To add a comment to a session 1) In the Activity View list, click the [+] sign next to the session to which you want to add a comment. 2) Click the "Add Comment" link.
3) In the "Session Comment" dialog box that pops up, enter your comment, and then click "Save". Your comment will appear in the session's expanded list of applications, files, and window titles.
Note: You can repeat this procedure for as many comments as you want to add. Each comment will appear as a separate entry.
Applications View The Applications View enables you to view a list of all the applications, resources, registry paths, Internet Explorer URLs, and so on, that were accessed on the specified server. This view is useful if you have many recorded sessions and you do not want to review each session, but prefer to see what resources, such as applications, files and directories, that were accessed on the server. These resources are displayed in reverse chronological order for the selected server, making the latest sessions easy to identify.
To view the applications which were accessed on a server 1) Select "Applications" in the left menu of the Server Diary. 2) Specify the server you want to view in the "Server" field, and then click the "Go" button. You can also click the
button and select the server name from the Server List pop-up window.
3) Select the date up to which you want to display the applications. The page refreshes to display all the applications that were accessed on the specified server.
15
ObserveIT User Guide
Note that you can click on the [+] sign next to an application for more details, and click the Video icon to open the Session Player in order to replay the selected item.
Inventory View The Inventory View displays a list of the resources (hardware and software) on the specific server. This information is gathered from the server and displayed for your convenience. The information is read-only and cannot be changed.
To display the resources on a server 1) Select "Inventory" in the left menu of the Server Diary. 2) Specify the server you want to view in the "Server" field and click the "Go" button. You can also click the
16
button and select the server name from the Server List pop-up window.
Server Diary
Software View The Software View displays a list of the software that is currently installed on the specific server. This information is gathered from the server and displayed for your convenience. The information is readonly and cannot be changed.
To display the software installed on a server 1) Select "Software" in the left menu of the Server Diary. 2) Specify the server you want to view in the "Server" field and click the "Go" button. You can also click the
button and select the server name from the Server List pop-up window.
If a software or program is installed on the server after the ObserveIT Agent was installed, a icon will appear next to the software name, allowing you to replay and view that software's installation process. This link only appears for programs that were installed after the ObserveIT Agent was installed. Clicking the "Search" link next to a program or software will open up a Google search page with results related to that program or software.
Search View The Search View is useful for performing search operations against a particular server name. You can perform “Google-like” searches based upon words that are important, such as "registry", "notepad", "delete", and so on. Results are displayed in such a way that lets you see the context of the action and why they are returned as a result.
To run a search on a server 1) Select "Search" in the left menu of the Server Diary. 2) Specify the server you want to view. 3) Specify a time period for your search.
17
ObserveIT User Guide
4) Enter the string you are looking for, and then click the "Search" button to run the search.
Notes After running your search, you can also do the following: Expand the results by clicking the [+] sign in order to view a textual breakdown of the search results, clearly showing you the context in which the application or user action was performed. Add comments to specific sessions in the search results, by clicking the [+] sign next to the relevant session, and then clicking the "Add Comment" link (as described in "Adding Comments to Sessions" above). Click the Video user action.
icon to open the Session Player in order to replay a selected application or
Messages View ObserveIT enables you to create and configure messages that will be displayed when a user logs on to one or more servers. These messages can include information for users, instructions, requests to perform specific tasks, contact information in case of software or hardware issues, and more. You can configure messages to be displayed on all servers, on specific servers, for all users logging on to these servers, or just for some users. You can create and configure messages in the Configuration > Messages page. In the Messages View of the Server Diary, you can see all the messages that were displayed on a server.
To view the messages on a server 1) Select "Messages" in the left menu of the Server Diary. 2) Specify the server whose messages you want to view. 3) Select the type of message you want to display from the "Message to Display" drop-down list. Options include: "All Messages", "Live Messages", or "Lock Messages". Note: The features "Live Messages" and "Lock Messages" are not supported on Unix or Linux Agents. These features are also not supported on Agents that are running ObserveIT versions prior to 5.6.0.
18
Server Diary
4) Click the "Go" button. The Messages Diary refreshes to display the messages for the server and criteria you specified.
Exporting Metadata to Excel You can export the data of all sessions that are displayed in a Server Diary Activities page, Search page, and detailed textual transcript, to an external window for easier printing and for usage in Microsoft Excel.
To export a user session's data Click the "Print this information" link next to the user session.
To export the textual transcript on a specific user session 1) Expand the required session by clicking the [+] sign on the left. 2) To export the data, click the "Print this information" link next to the user session. 3) To export detailed data of the textual transcript of the selected user session, click the "Print detailed information" link next to the user session. Note: "Print this information" exports only what is visually shown in the textual transcript, whereas "Print detailed information" includes all the user actions performed during the session. In the "Report To Export" browser window, you can print the report as you would any browser window, or click the "Excel" link to open the information as an Excel file.
19
ObserveIT User Guide
User Diary The User Diary is the second tab in the Web Management Console. The User Diary provides three views: Activities View Applications View Search View
Activities View The default User Diary view is the Activities View which provides information about all user activities on every monitored server and computer. Each time a user logs into a monitored server, all actions performed by that user are captured as screenshots, and metadata is collected about the applications, registry settings, and files that the user accessed. The User Diary is used to see all of this activity by a particular user across all servers. The User Diary automatically displays all the latest user sessions from all the monitored computers, with the default date filter, listing all user sessions in reverse chronological order. This means that new sessions appear at the top of the session lists, making them easy to identify.
20
User Diary
To view sessions which were recorded for a user 1) Enter the required user name in the "Login" text prompt (auto-complete provides a list of matching user names). You can also click the icon and select the required user name from the Login List pop-up window. The list of available users is displayed along with the number of recorded sessions, and the date and time of their last activity. 2) Specify the required activity time period (Days, Weeks, Months, Years) or specify a date range for your user sessions search. By default, the date filter includes the current month and year as the selection criteria. 3) If required, you can filter the display of user sessions by server ("All" or a single server). 4) When you have finished specifying the search criteria, click the "Go" button. The page refreshes to display a list of sessions in reverse chronological order for the selected user. Note: If any SQL Server queries were performed on a session, they will be displayed at the end of the session. For more information, see DBA Activity. Each entry represents a user session. A user session begins at the time the user logs on, and ends when the user logs out or after a predefined period of inactivity (the default is 15 minutes, but you can change this in Configuration > Server Policies > Server Policy Template). The last activity performed by the user in that session is reflected in the "Session Duration". Each session entry provides the date, duration, the login name (which is the user account used in the Windows logon process), the actual user name (provided by ObserveIT's Identification Services), the name of the computer from which the connection was made, the number of slides in the session, and a "Video" icon. Clicking the Video icon next to a user session launches the ObserveIT Session Player, which replays the entire recorded session from beginning to end (for details, see Replaying User Sessions). From the Session Player, you can also save sessions for offline viewing. You can expand sessions by clicking on the [+] sign, and view a textual breakdown or transcript (similar to DVD chapters) of all the applications, files, and window titles that the user accessed during the session. You can replay a session from any point in time (or action) by clicking the Video icon at the right of the required expanded session item. Thus, within seconds, you can determine the applications that were used, the actions that were performed by the user, and the relevance of the session to your troubleshooting process. Notes The and icons allow you to easily determine if the server you are viewing runs a Windowsbased or Unix-based operating system. A icon appearing in the sessions list indicates that a user session is still live, and that a user is currently logged on to the server. Clicking this icon will launch the Session Player in real-time replay mode. The appearance of an alert indication next to a session shows that one or more activity alerts were generated during the session. Clicking the alert indication opens a popup dialog showing the alert(s). For example:
21
ObserveIT User Guide
By clicking "View All", you can jump directly to the Activitity Alerts page showing the list of session alerts. The appearance of a warning icon next to a "Slides" number indicates that the session was tampered with, and could be corrupted. For example, this icon would appear if a screenshot was deleted from a recorded session. Note that this warning icon will only be displayed if the "Enable Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security" page. The number that appears to the right of a program or file name in the expanded textual transcript is the number of instances in which the same program or file name appeared in that particular session.
To view statistics about a user in the User Diary Click the "User Statistics" link in the Activities View. A window opens displaying statistics about the selected user during the specified time period.
The following information is provided: Computers Accessed - A breakdown of the computers that were accessed by the user during
the selected period, by the number of recorded sessions. Session Activity Recorded - The daily number of sessions that were recorded by ObserveIT for
the user.
22
User Diary
Adding Comments to User Sessions In the Activities and Search Views of the User Diary, you can add comments to specific user sessions, if required.
To add a comment to a user session 1) In the Activity View list, click the [+] sign next to the user session to which you want to add a comment. 2) Click the "Add Comment" link.
3) In the "Session Comment" dialog box that pops up, enter your comment, and then click "Save". Your comment will appear in the session's expanded list of applications, files, and window titles that the user accessed during the session.
Note: You can repeat this procedure for as many comments as you want to add. Each comment will appear as a separate entry.
23
ObserveIT User Guide
Applications View The Applications View enables you to view a list of all the applications, resources, registry paths, Internet Explorer URLs, and so on, that were accessed by the specified user login. This view is useful if you have many recorded sessions and you do not want to review each session, but prefer to see what resources, such as applications, files and directories, that were accessed by the user. These resources are displayed in reverse chronological order for the selected user, making the latest sessions easy to identify.
Search View The Search View is useful for performing search operations against a particular user login. You can perform “Google-like” searches based upon words that are important, such as "registry", "notepad", "delete", and so on. Results are displayed in such a way that lets you see the context of the action and why they are returned as a result. Note: You can also add comments to specific sessions in the search results, by clicking the [+] sign next to the relevant session, and then clicking the "Add Comment" link (as described in "Adding Comments to User Sessions" above).
Exporting Metadata to Excel You can export data of all sessions that are displayed in a User Diary Activities page, Search page, and detailed textual transcript, to an external window for easier printing and for usage in Microsoft Excel.
To export a user session's data Click the "Print this information" link next to the user session.
To export the textual transcript on a specific user session 1) Expand the required session by clicking the [+] sign on the left. 2) To export the data, click the "Print this information" link next to the user session. 3) To export detailed data of the textual transcript of the selected user session, click the "Print detailed information" link next to the user session. "Print this information" exports only what is visually shown in the textual transcript, whereas "Print detailed information" includes all user actions performed during the session. In the "Report To Export" browser window, you can print the report as you would any browser window, or click the "Excel" link to open the information as an Excel file.
24
Free Text Search
Free Text Search The Free Text Search feature expands ObserveIT's searching capabilities by enabling you to perform “Google-like” searches for sessions and user activities, based on key words, such as, "registry", "notepad", "delete". When an IT ticketing system is integrated in the ObserveIT system, you can search for all sessions that relate to a specific ticket. You can also filter the search criteria to search for key words in all the applications that were used on any monitored computer. The displayed results provide the context of the activity. For example, you can specify the IP address of a server, and find all the instances in which a Remote Desktop session is open to that server.
To run a free text search 1) Open the Search tab of the Web Management Console. 2) In the "Search for" field, select the type of data you are looking for. Options are: "Metadata" - enables you to search for key words in the metadata information that is stored in
the ObserveIT database. "Ticket number" - if an IT ticketing system is integrated in ObserveIT, you can specify the
ticket's unique reference number in order to quickly locate all sessions related to the ticket. "Application" - enables you to search for keywords in all applications that were used. "Alert ID" - enables you to search for sessions that have activity alerts according to their ID.
3) Enter the required string/key word/ticket number/alert ID. 4) If you are searching for "Metadata", select the type of sessions in which you are searching: "All", "Windows", "Unix", or "Unix system calls". Note: On Unix sessions, you can perform a metadata search on both user input and commands' output. 5) Click the "Search" button.
The displayed results include information regarding the user’s login, the server, and the date.
25
ObserveIT User Guide
Notes You can expand the user session in which you are interested by clicking the to the left of the user session. You can read through the textual transcript and find the user action that is of interest. Sessions that contain an alert are displayed with an alert indication session to see exactly which slide has the alert.
. You can expand the
If any SQL Server queries were performed on a session, they will be displayed at the end of the session. For more information, see DBA Activity. You can add comments to specific sessions in the search results, by clicking the next to the relevant session, and then clicking the "Add Comment" link. In the "Session Comment" dialog box that pops up, enter your comment, and click "Save". Your comment will appear in the session's expanded list of user actions. You can add as many comments as you want. Each comment will appear as a separate entry. Clicking the icon next to the user session will launch the ObserveIT Session Player, and begin replaying the entire recorded session from beginning to end. The replay can be paused, resumed, fast forwarded or rewound, and zoomed in or out. From the Session Player, you can also save sessions for offline viewing. You can filter the results to display specific user sessions by selecting the user's name from the “Login/User" drop-down list. This list includes every user name (or login) that used the specific application or resource. You can also filter the view to display results for one specific server by selecting the server's name from the “Server” drop-down list. This list includes every server name that was used for the specific application or resource.
26
DBA Activity
DBA Activity In the DBA Activity tab of the ObserveIT Web Management Console, you can monitor all SQL queries that were executed by DBAs against production databases. This feature requires all DBAs that you would like to record to connect through a Windows gateway, on which the ObserveIT Agent is installed and a DB management tool application is being used. ObserveIT supports the following database management tool applications: Microsoft SQL Server Management Studio 2005, 2008 Note: All versions of Microsoft SQL Server Management Studio Express (SSMSE) are currently not supported. Toad for Oracle 11.6 SQL*Plus 11.2.0.1.0 The following example illustrates how SQL queries are captured by ObserveIT:
1) A user opens a remote RDP connection to the gateway in order to perform an SQL query. 2) The ObserveIT Agent captures the SQL query using the database management tool application on the gateway.
27
ObserveIT User Guide
Querying SQL Server Sessions SQL queries are included in the session activity details displayed in the Server Diary and User Diary pages. When using the Search page in Metadata mode, text matches within SQL queries will also return the relevant sessions in the search results. You can query the database for sessions according to any of the following criteria: Database name The server to which the user logged in Database user Login ID of the user Free text: Specific information that you are looking for (e.g., specific user, alert, name of table, etc.) Specific time period, or start and end dates.
To view and search for SQL Server sessions 1) Open the DBA Activity tab in the ObserveIT Web Management console. The Activities View displays the results of SQL server queries on the currently selected default ObserveIT database, in reverse chronological order, and according to the default date filter.
For each item in the table, the following information is displayed: Time: The time that the SQL query occurred. SQL Query: The content of the SQL query. Database: The name and path of the ObserveIT database. DB User: The name of the database user. Details icon: Enables you to view details about the SQL query session. Video icon: Enables you to replay a video of the SQL query session.
2) To change the criteria for the SQL queries display, click the [+] sign next to "Filters" to expand the search fields.
28
DBA Activity
Specify the search criteria according to which you want to perform an SQL Server query, as follows: In the "Database" field, specify the required database (or click the
button to select it from
a list of databases). In the "Server" field, specify the server to which the user is logged in (or click the
button
to select it from a list of servers). In the "DB User" field, specify the name of the database user (or click the
button to select
it from a list of database users). In the "Login" field, specify the login name of the user (or click the
button to select it
from a list of Login names). In the "Query Text" field, you can enter any specific text for your search. Under "Period" or "Start Date"/"End Date", you can filter your search criteria further by
specifying a time period, or start and end dates. 3) When you have finished defining the criteria for the SQL Server session queries, click the "Search" button. The page refreshes to display a list of sessions according to the specified criteria. Note: SQL Server queries that were performed on a session, will also be displayed at the end of the session in the Search tab, Server Diary, User Diary, or Archive Search.
To view details of an SQL query session 1) In the Activities table, click the
icon next to the SQL query whose details you want to view.
A window opens displaying the details of the selected SQL query. Note: By using the Up/Down arrows, you can browse between all the SQL query activities in the recorded session.
29
ObserveIT User Guide
Note: From this window, you can also view a video of the selected SQL query session by clicking the "Session video"
icon.
To view a video of an SQL Query session In the Activities table, click the Video
icon to the right of the SQL query you are interested in.
The ObserveIT Session Player opens, enabling you to replay the entire recorded session. For more information, see Replaying User Sessions.
30
Replaying User Sessions
Replaying User Sessions ObserveIT allows you to replay recorded user sessions by using a VCR-like Session Player. ObserveIT provides two versions; a Windows Session Player for replaying Windows recorded sessions, and a Unix Session Player for replaying Unix recorded sessions. The Session Player opens in a separate browser window. Similar to a real-life VCR player, ObserveIT's Session Player can be used to play the recorded session starting from the first slide, and throughout the entire recording until it reaches the last slide. You can stop/resume the play at any point by clicking the Pause/Resume button. Using the Session Player, you can also play the recorded session starting from a specific point in time. This feature saves the auditor or administrator from having to review the whole session, as the recording can be played from the exact time that the specific action performed by the user is of particular interest.
Replaying a Recorded Session To replay the entire recorded session from start to finish In the Activities View of the Server Diary or User Diary, click the or video icon to the right of the required session. For more information, see "Activities View" under Server Diary or User Diary. The Session Player is launched in a new browser window, and you can begin viewing the recorded session. Note: If the selected session is a Windows session, the Windows Player will open; if the selected session is a Unix session, the Unix Player will open.
To begin playing the recorded session starting from a specific point in time 1) In the Activities View of the Server Diary or User Diary, expand the user session you are interested in by clicking the [+] sign to the left of the session. For more information, see "Activities View" under Server Diary or User Diary. 2) Review the textual transcript of the applications, files, or window titles that the user accessed, or the user input that the user entered during the session, and find the specific action that has particular interest. 3) Click the icon to the right of the user action. The Windows or Unix Session Player is launched in a new browser window, and you can begin viewing the recorded session from the point in time when the user action was performed. Note: You can also begin playing a recorded session from a specific point in time from the Session Player itself.
31
ObserveIT User Guide
Windows Session Player The Windows Session Player allows you to replay recorded Windows user sessions. The Session Player is launched in a separate browser window, when a user clicks the or video icon next to a Windows session recording in the Activity View of the Server Diary or User Diary.
32
Replaying User Sessions
Note: You can resize the Session Player window and maximize the screen. By clicking the icon, you can open the User Activities List which displays the window titles of all the applications, files, and windows that the user accessed during the session. Each window title may comprise a number of slides. To hide the User Activities List, click
.
The Session Player plays the recorded session starting from the first slide, and throughout the entire recording until it reaches the last slide. You can also click on a window title in the User Activities list in order to play the recorded session directly from that point onwards. You can stop/resume the play at any point by clicking the Pause/Resume button. When the Session Player opens, an integrity check is run on the images in the session. If a session was tampered with, a warning icon will be displayed in the lower part of the Player. For example, the following warning would appear if a screenshot was deleted from the session: . Note that an integrity check is only run if the "Enable Session Integrity" check box was selected in the Security tab of the "Configuration" > "Security" page.
Viewing Activity Alerts in a Session Replay While replaying a recorded session, you can watch the session video for activity alert(s). If any alerts occurred on the session, an alert indication is displayed on the timeline bar and also on the user activity (in the User Activities list) that triggered the alert. By clicking the alert indication icon, you can see full details about the alert.
Metadata Sessions User activities that are preconfigured to record only textual metadata about specific applications are identified by an icon in the Activity View of the Server Diary or User Diary. If the session you are replaying is a "metadata-only" session or includes "metadata-only" applications, the Session Player will display a screenshot with a white background and text indicating that it is an ObserveIT Metadata-Only Policy (as shown below).
Note: Only recorded slides (images) will appear in the User Activities List even if the session is a mix of "metadata-only" policies and application/URL recordings.
33
ObserveIT User Guide
Session Player Buttons The VCR-like buttons, in the lower left part of the Session Player, enable you to quickly pause, resume, rewind, or fast forward, the playing of the slides. The functions of these buttons are as follows (from left to right): Rewind to the previous slide in the current window title Rewind to the previous window title Rewind to the previous slide Pause/Resume play Forward to the next slide Forward to the next window title Forward to the next slide in the current window title
Session Player Icons The following icons appear in the lower right part of the Session Player enabling you to: If alerts were generated for a session, display or hide the alert details for each alert. Lock a session (only available if you are viewing a Windows Live Session recording). See "Real-Time Playback Mode" below. Send a message to the user during a live session (only available if you are viewing a Windows Live Session recording). See "Real-Time Playback Mode" below. View a slide in its original image proportion that was captured by the Agent. Clicking the icon again returns the image to the Session Player resolution. Export the entire current recording or selected slides to an HTML file. See "Exporting the Session to an HTML File" below. Create an offline copy of the recording. You can save the entire recording or select specific slides to save.
Exporting the Session to an HTML File To save the session recording or specific slides to an HTML file 1) Click the HTML
34
icon in the Session Player.
Replaying User Sessions
2) Specify the slides you want to export, or select "All slides" to export the entire recording. Note: You can still export a session even if an integrity check provided a warning that some slides are missing. 3) Select the required image size. Options include: Original (Recorded): The size of the image when it was captured by the Agent. 1000 px wide (A4 Landscape): Image width of 1000 pixels and height proportional to the
width. 720x520 px (A4 Portrait): A fixed image size of 720 pixels width and 520 pixels height.
4) Enter a name for the session. 5) Click "Export to HTML". The exported slides will be displayed in a scrollable HTML Viewer according to the selected image size, as shown in the following example (720x520 px).
35
ObserveIT User Guide
Windows Session Player Additional Features The "Speed" slider enables you to speed up or down the session playback. The timeline bar above the VCR-like buttons shows the replay progress, also indicating the current slide's window title and the time it was recorded. By clicking the bar, you can jump directly to a specific slide. The text area above the timeline displays the following information: The title of the window that is currently viewed in the recorded session, and the number of the
slide that is currently displayed on the Player out of the number of slides that have the same window title. The date and time that the action was performed, and the number of the currently displayed
slide out of the total number of slides in the session. The appearance of a "Signature not verified" watermark indicates that not all the images stored in the database are currently digitally signed and protected. In order to secure images in the database, you must obtain a digital certificate for the Application Server, and then enable image security on the certificate.
Real-Time Playback Mode In the Server Diary and User Diary views, the appearance of this icon in the sessions list indicates that a user session is still live on that server, and that a user is currently logged on to the server. Clicking the icon will launch the Session Player in real-time replay mode. In this mode, the Session Player will immediately begin replaying the latest user activity in the required session. Real-time replay causes the Session Player to automatically refresh as the user performs actions, clicks, or types in their session. This means that the Session Player is constantly receiving updates from the ObserveIT Application server, and even though the viewer appears to have reached the end of the recorded session, it will still display captured screenshots as they are being recorded on the server. In real-time replay mode, you can also do the following: Interrupt the playback by sending a message to the user. During an ObserveIT live recording, if an unusual session is noticed on one of the servers, the ObserveIT administrator can send a message to the user’s desktop, and request the user to acknowledge that he read the message. Note that if a reply is configured as mandatory, the user must enter a text reply in addition to acknowledging the message. Note also that if the message is configured to block the screen (it cannot be ignored or dragged to the corner of the screen), the user will be forced to respond to the message in order to carry on working. Note: These features are supported only on Windows Agents that are running ObserveIT version 5.6.0 and above. They are not supported on Unix or Linux Agents, or on Agents that are running ObserveIT versions prior to 5.6.0. Lock a session. During the replay of a live session, if the Administrator wants to prevent the user from continuing to record the current session, he can send a message to the user and lock the user’s desktop after a specified timeout period (seconds). Note: The "lock session" feature is supported only on Windows Agents that are running ObserveIT version 5.6.0 and above. It is not supported on Unix or Linux Agents, or on Agents that are running ObserveIT versions prior to 5.6.0.
36
Replaying User Sessions
To send a message to a user during real-time playback 1) During a live session recording in the Server Diary or User Diary view, click the the relevant user session.
icon next to
The Session Player opens in real-time replay mode, and begins playing the latest user activity in the session. 2) When the Player reaches an action that you want to interrupt by sending a message to the user, click the Message
icon in the lower part of the Viewer.
A message dialog box opens, enabling you to send a message.
3) Enter your message text (or edit the default text), and then click the "Send" button. 4) When the message is received, the user must select "I Acknowledge", as shown in the following example:
5) If a reply is configured as mandatory, the user must enter a text reply in addition to acknowledging the message. 6) The user clicks "Finish" to acknowledge the message.
37
ObserveIT User Guide
Note that you can view "live" messages in the Server Diary or User Diary session details (by clicking the [+] sign), as shown in the following example:
To lock a user session during real-time playback 1) During a live session recording in the Server Diary or User Diary view, click the the relevant user session.
icon next to
The Session Player opens in real-time replay mode, and begins playing the latest user activity in the session. 2) When the playback reaches a point at which you want to lock the session, click the Lock Session icon in the lower part of the Player. 3) In the message dialog box that opens, specify the timeout period of time (seconds) after which the session will be locked, enter your required message text, and click "Send".
38
Replaying User Sessions
The user will receive a message, as shown in the following example:
The desktop will be locked after the specified timeout period. Note that only the desktop is locked; no data will be lost and no application closed. After the timeout period, the user can acknowledge the message and continue working. Note: You can view "lock session" messages in the Server Diary or User Diary session details.
39
ObserveIT User Guide
Unix Session Player The Unix Session Player allows you to replay recorded Unix user sessions. The Session Player is launched in a separate browser window, when a user clicks the or video icon next to a Unix session recording in the Activity View of the Server Diary or User Diary. The Unix Session Player supports multiple languages and font colors. The administrator who replays the session will see the session exactly as it appeared to the user who logged in to the server. Note: Unicode UTF8 and standard ASCII character encoding are supported for the recording and replaying of Unix sessions.
40
Replaying User Sessions
By clicking the icon, you can open the User Activities list which displays text files of all the user input commands and system calls that were generated during the recorded session. To hide the User Activities list, click
.
The Unix Session Player plays the recorded session starting from the first frame (text file), and throughout the entire recording until it reaches the last frame. You can also click on an "activity" in the list in order to play the recorded session directly from that point onwards. You can stop/resume the play at any point by clicking the Pause/Resume button. Note: A "live" Unix session is automatically replayed starting from the last frame (i.e., the point where you clicked the clicking the
video icon). You can change the order of playback to start from the beginning by button.
The VCR-like buttons, in the lower part of the Session Player, enable you to quickly pause, resume, rewind, or fast forward, the playing of the frames. The functions of these buttons are as follows (from left to right): Play the session from the beginning (first frame) Rewind to the previous user activity Rewind to the previous frame Pause/Resume play Forward to the next frame Forward to the next user activity
Viewing Activity Alerts in a Session Replay While replaying a recorded session, you can watch the session video for activity alert(s). If any alerts occurred on the session, an alert indication
is displayed on the timeline bar and also on the user
activity (in the User Activities list) that triggered the alert. By clicking the Bell icon in the lower right part of the Session Player, you can show or hide the display of the details for each alert.
Unix Session Player Additional Features The timeline bar above the VCR-like buttons shows the replay progress, also indicating the current frame's activity and the time it was recorded. By clicking the bar, you can jump directly to a specific frame. The "Speed" slider enables you to speed up or down the session playback. The icons in the lower right part of the Session Player enable you to zoom in
and zoom out
the current frame in order to enlarge or reduce the displayed text. By clicking the icon in the lower right part of the Session Player, you can export the Unix session output to a text file for offline usage.
41
ObserveIT User Guide
ObserveIT Key Logging ObserveIT Key Logging is supported on Windows and Unix-based operating systems. Corporate key loggers track and record an employee's computer activity for the purposes of monitoring, root cause analysis, forensic investigation and regulatory auditing. Traditional Key Logging software programs monitor each keystroke that users type on the keyboard. The keystrokes are recorded and indexed, so that they can be searched for and displayed to the end user in simple reports. However, traditional key loggers can capture only what the user has typed; they do not provide context information or the ability to see video session recordings of user activity. In contrast, ObserveIT's key logger generates and replays video recordings of all on-screen user activity, including every key press and mouse click. Any portion of any recording is directly accessible via key word search in the ObserveIT Web Management Console (from the Search tab, Server Diary, User Diary, or Archive Search). You can jump directly to relevant portions of recordings by searching for particular activities based on text entries, launched programs, opened windows, system commands executed, etc. ObserveIT's key logger records and enables you to search for specific text entries made anywhere in the system, whether by typing, editing, keyboard shortcuts, auto-complete or even copy and paste via the Windows clipboard. The visual replay of user sessions is provided by the ObserveIT Session Player. For information about using the ObserveIT Session Player, see Replaying User Sessions. Note: In order to use ObserveIT's key logger for Windows, the "key logging" feature must be enabled in the Server Policies settings of the ObserveIT Web Management Console. Key logging capabilities are always available on Unix machines.
Key Logger Data Encryption By default, all data that is captured by the ObserveIT key logger on Windows systems is encrypted by using the SHA256 with asymmetric "salt" hashing algorithm. ObserveIT supports case-sensitive search matching complete words even on data that is stored encrypted. However, if you want to retrieve data from the database in its original content form, you can disable the data encryption. For instructions, please contact ObserveIT support. The following topics describe ObserveIT’s Key Logger for Windows and Unix-based operating systems: Windows Key Logger Unix Key Logger
Windows Key Logger In addition to capturing every keystroke, the ObserveIT key logger for Windows-based operating systems can capture values that aren't even typed using the keyboard, such as: 1) The context of the text that was captured, such as a description label of the input control of the text. 2) Changed field values that are selected from drop-down lists (see below for an example of this scenario). 3) Changed check box selections using the mouse. 4) Changed numeric values using clicks.
42
ObserveIT Key Logging
5) Final text values after correction by using the or key. 6) CMD commands made using shortcuts, such as, tabs and Up/Down arrows. 7) Editing: If the user edits the text within a control, both the old value and the new value of the text are captured. 8) Partial typing: Even if only one character within a block of text is changed, the entire text including the new character is captured. 9) If the Auto-Complete option is selected when the user is typing or if a spell checker is used, the key logger can capture the entire text. 10) PowerShell and Putty: Capture the user's commands as well as the output of Windows PowerShell or Putty client. The visual replay of user sessions is provided by the ObserveIT Session Player. For information about using the ObserveIT Session Player for Windows sessions, see Windows Session Player.
Windows Key Logging Scenario Example The following example illustrates how the ObserveIT text logger captures a changed field value that was selected from a drop-down list. In this example, the user changes the .NET Framework version of an application pool on the server. 1) In the Edit Application Pool dialog box, the currently selected .NET Framework version is ".NET Framework v2.0.50727".
43
ObserveIT User Guide
2) The user selects ".NET Framework v4.0.30319" from the ".NET Framework version" drop-down list, and clicks "OK".
The key logger will capture the new text selection including the context (i.e., the description label of the drop-down list). 3) When the user performs a search for this activity by entering a keyword, such as "framework", in the metadata search of the Web Management Console, the list of relevant sessions will include the "Edit Application Pool" session.
44
ObserveIT Key Logging
4) By clicking on the video icon of this session, or expanded session, the Session Player will open and replay the session. The user will be able to see the exact change that was made, within its context.
Unix Key Logger When using ObserveIT’s Key Logger on Unix systems, the Unix Monitor records user activity in any interactive shell running on the machine, and transfers the data to the ObserveIT Management Server. Recording begins whenever a user starts any interactive session on the system, whether remotely (via Telnet, SSH, rlogin, etc.) or locally via a console login. Note: The visual replay of user sessions is provided by the ObserveIT Session Player. For information about viewing and replaying recorded user activities in Unix sessions, see Unix Session Player. The ObserveIT Unix Agent captures important OS level information (such as, open, fork, unlink) about each user command, by capturing the resources that are affected and any system functions that are made by each command. All the internal actions and names of files and resources that are affected by command line operations are captured. In addition to capturing all internal actions and names of files and resources affected by command line operations, the ObserveIT Key Logger for Unix-based operating systems can record: All interactive shell logins to the system, whether via SSH, Telnet, local console or any other connection method. The data stream to and from the terminal on which the login took place. Each command line activity on the system. Every activity displayed on the screen is visually recorded, including user input and screen output. System calls that were triggered by the command line or script that was executed by the user. Every file create, delete, open, permission change, process creation, and link creation action, is fully exposed. For example: If the user runs an alias script named innocentScript that includes system calls to delete files and change user permissions, this information will also be captured. Each file or resource affected by a user command is captured. For example: If the user types rm *.txt, ObserveIT will show the exact name of each file that was deleted.
45
ObserveIT User Guide
Threat Detection Console ObserveIT continuously monitors activities in the system, enabling IT administrators to deal proactively with any unauthorized activity that could indicate the presence of a threat. ObserveIT's Threat Detection Console provides at-a-glance graphical charts and reports of the status and trends of ObserveIT activity, enhancing the ability to discover potential security problems or threats. You can view the Threat Detection Console and configure its settings in the "Threat Detection" tab of the Web Management Console.
46
Threat Detection Console
The following topics describe in detail the type of information that you can view in the Threat Detection Console, and how to configure Threat Detection chart settings: Viewing Threat Detection Information Configuring Threat Detection Chart Settings
Viewing Threat Detection Information The Threat Detection Console provides the following charts that show the status and trends of ObserveIT activity: Night and Weekend Activity Most Active computers Now Infrequently Used Applications Infrequently Used Computers Infrequently Used Login IDs Leap Frog Logins Remote Access Sessions
Night and Weekend Activity The "Night and Weekend Activity" chart helps you to identify any potentially unauthorized or malicious logins to the monitored computers. It shows the number of unique user-to-computer logins which occurred outside regular working hours, by date. Regular working hours/days are defined in the Chart Settings tab (see Configuring Threat Detection Chart Settings). Note the following: "User-to-computer" logins do not refer to the total number of user logins. For example, if a user logged in 3 times to computer X and 5 times to computer Y, the chart will show 2 logins, not 8. By clicking the
icon, you can change the display of the chart according to day/week/month.
By clicking on a bar in the chart, you can see the number of logins that occurred on that date.
47
ObserveIT User Guide
Most Active Computers Now This chart enables you to see which computers are most active (i.e., running the most sessions) at the current time. Click the Refresh icon to update the display.
Infrequently Used Applications This chart can help to identify any potentially malicious applications that are running on the monitored computers. It lists the applications that were used by the least number of users (by login ID) during the specified date range. Note: Even if a user ran an application more than once, it will only be counted as one instance.
48
Threat Detection Console
Infrequently Used Computers This chart can help to identify suspicious use of a computer. It lists the monitored computers that were used for the least number of sessions during the specified date range.
Infrequently Used Login IDs This chart can help to identify the suspicious use of a login ID. It lists the login IDs that were used for the least number of sessions during the specified date range.
49
ObserveIT User Guide
Leap Frog Logins This chart can help to identify potential unauthorized access to a second computer via permitted access to a first computer. The "Leap Frog Logins" chart lists the instances in which a user logged in from one monitored computer to another, during a specified date range. The Login ID is used to access the source computer (Computer 1), which connects to a second computer (Computer 2), which can connect to a subsequent computer, and so on. Note: All computers that participate in "Leap Frog Logins" must belong to the same domain.
Remote Access Sessions This chart can help to identify users who are not authorized to access other computers remotely. It lists the remote access sessions that were initiated by a user from a monitored computer during the specified date range.
50
Threat Detection Console
Configuring Threat Detection Chart Settings In the Chart Settings tab, you can configure settings for information that is displayed in the Threat Detection Console charts. See Viewing Threat Detection Information.
You can configure settings for the following charts: Chart
Settings
Night and Weekend Activity
Specify the working days and hours outside which any user logins will be displayed in the "Night and Weekend Activity" chart. Select the regular working hours time range from the drop-down lists, and any additional days of the week to the default "Monday to Thursday" regular working days.
Infrequently Used Applications
Provide a number that configures the number of times below which "infrequently used applications" were used.
Infrequently Used Computers
Provide a number that configures the number of times below which "infrequently used computers" were used.
Infrequently Used Login IDs
Provide a number that configures the number of times below which "infrequently used Login IDs" were used.
51
ObserveIT User Guide
Reports The Reports view in ObserveIT's Web Management Console provides aggregated or summary information about server and user activity. The feature-rich reports generator can be used by novice administrators to generate reports based on preconfigured built-in reports, or by experienced administrators and security auditors who require flexible application usage reports and trend analysis reviews. Experienced administrators and security auditors can also create comprehensive customized reports based on their own requirements. ObserveIT provides two types of predefined reports: Custom reports. These are sample reports which you can run, schedule, copy, edit, and delete. You can also manually create new custom reports from these reports. System reports. These are built-in reports which you can run, schedule, and copy, but you cannot edit or delete them. You can run a report by clicking the "Run" link next to the report. Within a short time (depending on the type and range of report), the report is generated. The results can be viewed in a separate window, printed, and the information exported to an Excel spreadsheet. You can also schedule reports to run at specific intervals, and the results can be emailed to SMTP aliases that need to review them. The following is an example of a typical reports list.
52
Reports
Report Types You can generate custom reports based on the following types of information: Servers (for example, user activity on a specific server within a specified time period). Users (for example, users sessions grouped by login name). Applications (for example, applications that were used on monitored servers grouped by application name). Commands (for example, commands entered on a specific date grouped by session title). Comments (for example, all new comments to sessions during the last 24 hours). Messages (for example, messages displayed to all users who logged on to a specific server). Tickets (for example, all sessions that are related to a specific ticket number). Audit Logins (logins to the Web console), Audit Sessions (recorded sessions playback), and Audit Saved Sessions (recorded sessions that were exported). Note: Sample (custom) reports can be edited and customized according to customer requirements. Examples of system reports include: Activities Report -All user sessions on all monitored servers in the past 48 hours. Daily Applications Report - All applications that were accessed in the past 48 hours on all monitored servers, including the user names who accessed them. Terminated Session List - Terminated session list - notification to the administrators. Note that this built-in report differs from the other reports (system, custom, or manually created) because it cannot be scheduled to run at specific intervals. The report is automatically sent when an Agent session is abruptly terminated. Note: Built-in (system) reports cannot be edited or deleted.
53
ObserveIT User Guide
About the Current ObserveIT Installation To display information about the current ObserveIT installation, click the "About" link in the upper right corner of the ObserveIT Web Console. Installation Folder, usually C:\Program Files\ObserveIT\Web\ObserveIT\bin. ObserveIT Web Console version. TCP port used by the Agents to connect to the Application Server, usually 4884. Name of the SQL Server used for the ObserveIT database. ObserveIT support: http://www.observeit.com/Support. ObserveIT Website URL: http://www.observeit.com).
54
View more...
Comments
