ObserveIT: Technical training for onboarding sales engineer

ObserveIT: Technical training for onboarding sales engineer
By ObserveIT – Copyright 2015

AGENDA ObserveIT Architecture
“One Click” Installation (+Unix Installation) Configuring ObserveIT Basic Use Cases ObserveIT Deployment Scenarios

Welcome This Training is targeted at incoming Sales Engineers. Before attending this course, students must have at least 2 years worth or equivalent knowledge of the following technologies and products: Managing, maintaining, and securing Microsoft Windows Server 2008/2008 R2, 2012, 2012 R2, including Active Directory and Network Infrastructure server roles. Working knowledge of networking, for example, TCP/IP, Domain Name System (DNS) and DHCP. Working knowledge of CITRIX XenDesktop 7.X, Internet Information Services (IIS), and Microsoft SQL Server. Working knowledge of common management and monitoring tools such as Microsoft SSCM/SCOM, PSEXEC, or equivalent. Knowledge in installing, configuring, and administering Microsoft Windows Server 2008/2008 R2, 2012/2012 R2, and Microsoft Windows XP Pro/Vista/7/8.

LAB SETUP GENERAL GUIDELINES
In order to successfully implement ObserveIT on a scale model, you may want to set up a lab environment. By using virtualization products, the lab can easily be built on top of one physical machine. Some popular end-user virtualization products include: VMware Workstation VMware Player Microsoft Virtual PC Oracle Virtual Box

LAB SETUP GENERAL GUIDELINES
The minimum requirements for Observeit to run within a virtual demo environment: 1. machine running Microsoft Windows Server 2012 R2 for the “All in One” deployment of the ObserveIT components Roles: IIS, IIS 6.0 Compatibility ASP .NET .Net Framework 3.5.1 .Net Extensibility Microsoft SQL Server 2008 Optional - 1 machine running Microsoft Windows Server 2012 R2 with Terminal Services role for remote vendor access demo Optional - 1 machine running Microsoft Windows 8 or Windows 7 for workstation recording and remote vendor access demo Optional - 1 machine running Microsoft Windows Server 2012 R2 with Active Directory domain controller role for Active Directory integration Optional – 1 machine running CentOS 6.0+ for Linux recording and access demo Please request ISOs for all software from the Sales Engineer on staff.

For a basic training setup these vms would be required:
LAB SETUP – Course Specifics For a basic training setup these vms would be required: Each SE runs VMware Workstation 1 VM running Microsoft Windows Server 2012 R2 Active Directory Microsoft SQL Server 2008 Express ObserveIT latest version binaries Reseller license file 1 VM running CentOS 1 VM running Ubuntu (Optional) Download the latest version of ObserveIT at: Please request ISOs for all software from the Sales Engineer on staff.

Obtaining the Documentation:
LAB SETUP – Documentation Obtaining the Documentation: You can view the entire product's documentation by visiting this URL: You can find the Student Guide documentation and Datasheet within the Sales Drive on FPSO1. Please request ISOs for all software from the Sales Engineer on staff.

What is observeit Platform for User Activity Monitoring.
Screen-Scrapes window titles and takes screenshots of activity. Maps to major compliance and security challenges ObserveIT captures all activity, even for applications that do not produce their own internal logs. Identity Theft Detection Shared Account handling Key Logger for indexing.

ObserveIT: Architecture

OBSERVEIT AGENT RECORDING
Records user activity (Meta Data + Screen Capture) Alerts on out of policy behavior Supports Windows, Unix, Linux systems Supports both physical and virtual environments Sends recorded information to “ObserveIT Application Server” via HTTP, HTTPS, or IPsec connection Recording is based on group or individual Recording Policy”

OBSERVEIT APP SERVER Manages the multiple variety of Agents in a central location Receives user activity data from the Agents Filters, encrypts, and transfers the recorded data to a centralized database (SQL Server or File system

OBSERVEIT WEB CONSOLE IIS Web Application used to access recorded data and interface with Database Audit stored sessions, filter through activity, search for actions Configuration of all recording, alerting, and access control Policies

OBSERVEIT DATABASES Create 4 distinct Databases that manage
- ObserveIT images - ObserveIT Archive - ObserveIT Archive_Template Data is Secured, Digitally Signed, and Encrypted with AES 2048 Data can be archived or sent to a file-share system for cheaper and less intensive storage

OBSERVEIT SUPPORTED PLATFORMS Windows Agents
- Windows R2 Servers - Vista, XP, Win 7, Win 8/8.1 - Thin clients and Embedded systems Unix/Linux Agents - Solaris 9, 10, 11, Sparc and x86/x64 - AIX 5.3 (TL10 or higher), AIX 6.1, or AIX 7.1, 32-bit/64-bit - HP-UX v and 11.31, Itanium architecture (64-bit - RHEL/CentOS 5.0 – 5.10, 6.0 – 6.5, i386/x86_64 - Oracle Linux 5.0 – 5.10, 6.0 – 6.5, i386/x86_64 - SuSE 10 SP2-SP4, or SuSE 11 SP2-SP3; i386/x86_64 - Ubuntu LTS i386/amd64, or Ubuntu LTS i386/x86_64 - Debian 6 and 7 (64-bit)

OBSERVEIT SUPPORTED PLATFORMS Windows Application Server
- Windows Server 2008 R2/2012 R2 - .NET Framework 2.0, 3.5.1, 4.0 - IIS 7 with IIS 6.0 Compatibility - IIS server can’t host WUSUS Windows Database Server - SQL 2008, 2012, 2014 - Full Recovery mode - No support for case sensitive DBs

The Instructor will do a 30 minute demo of the ObserveIT Solution.
Questions & Demo The Instructor will do a 30 minute demo of the ObserveIT Solution.

ObserveIT “one-click” installation

Installing Observeit The "One Click" installation method is the easiest way to deploy ObserveIT If needed, each of the ObserveIT components can be installed separately as part of a custom installation Installation order: Database creation Web Console server Application server Windows Agents

“One-click” Install To run the ObserveIT "One Click" installer, run the Setup.exe file. In the main installation screen there are 3 separate configuration sections: SQL Server Settings Web Application Settings (web console and App server) Licensing To run the ObserveIT “One Click” installer, run the Setup.exe file located in the root folder which was created when you extracted the setup files from the archive. Note: You must extract the files from the archived file. Do NOT run it from within the .zip file. You will see the main installation screen. In this screen, there are 3 separate configuration sections: SQL Server settings Web applications (Web Management console and Application server) settings Licensing Installation will also install an agent Locally on the App server.

“One-click” install To install the databases you must specify the SQL instance name and credentials necessary to have access to the DB. The following databases will be created ObserveIT ObserveIT_Data ObserveIT_Archive_1 ObserveIT_Archive_template The following user will be created in the DB: ObserveITUser (do not delete or change the password) The user is responsible for handling the management of the 4 Databases and runs as a service. To run the ObserveIT “One Click” installer, run the Setup.exe file located in the root folder which was created when you extracted the setup files from the archive. Note: You must extract the files from the archived file. Do NOT run it from within the .zip file. You will see the main installation screen. In this screen, there are 3 separate configuration sections: SQL Server settings Web applications (Web Management console and Application server) settings Licensing

HANDS ON – “ONE CLICK” INSTALLATION
VM Setup and ObserveIT “one-Click” installation Follow student guide sections 1 – introduction 2 - Prerequisites & System Requirements 3 - One-Click Installation 5.11 – Installation ObserveIT Agent on CentOS 5.12 – Installation ObserveIT Agent on Ubuntu Length: 45 minutes

Recording and web console usage Basic use cases

Logging on to the console
Use the following URL to connect to the ObserveIT Web Console: If this is your first time using the ObserveIT Web Console, you will be prompted to change the default "Admin" password. By default, ObserveIT's server installation will offer to create an additional web site that will be configured to listen to TCP port 4884. When using the default TCP port 4884, use the following URL to connect to the ObserveIT Web Console: Where servername is the name or IP of the server where the ObserveIT Web Management Console is installed. When logging on to the Web Console, ObserveIT Console Users enter their credentials in the form of a user name and password. Because this information is transferred through the network in clear text, securing the ObserveIT Web Console access should be of a high priority. Unless properly secured, this data can be picked up by regular network sniffers. The first and most important step should be to enable SSL on the ObserveIT web site, and to require SSL on the ObserveIT virtual directory, the one used by the ObserveIT Web Console. Important note: Passwords are CASE sensitive. Please select a password that is strong enough to prevent casual guessing or other brute force attacking, making it at least 6 characters long, and with a combination of lower case, upper case, numbers and other characters. Please make sure you remember this password or write it down in a safe place, as without it you will not be able to log on to the ObserveIT Web Management Console. This password CANNOT be recovered in any way.

Observeit web console Areas to replay sessions and study the recorded data: Server diary, user diary, DBA Activity, Activity alerts, search, and reports.

Windows user activity recording
Agent will record users and applications that are specified in the recording policy. Only user activity is recorded. User idle time is not recorded – When a user is not actively using his computer ObserveIT agent will sit idle. ObserveIT agent will generate alerts on predetermined behavior and stream them in real-time to the web console or of admin. The agent creates The OIT agent collects window titles of on-screen applications and websites, software that has been installed, user data, application name, date and time.

Unix/linux user activity recording
Agent will record users and applications that are specified in the recording policy. All SSH in/out is recorded (not related to user activity). Idle time is only relevant for session timeout or by designed sizing parameters. Video analysis contains “System calls”, “function calls”, commands, and scripts. The OIT agent collects all user generated data by sitting as a “man in the middle” within a TTY interactive session. The agent hooks into the user session and will terminate the session if tampered with.

Questions & Demo The Instructor will do an in-depth explanation of the: Reports Search Alerting Server Diary User Diary

Basic use cases: Follow student guide sections:
HANDS ON – Basic use Cases Basic use cases: Follow student guide sections: 4. Basic Use Cases 4. 1 Simulating User Activity 4.2 Auditing the User Activity Simulate User Activity on Unix View Linux Recorded Session Length: 60 minutes

ObserveIT Deployment scenarios

Observeit Deployment Scenarios
A typical ObserveIT installation consists of multiple monitored servers (or Agents), each installed on a separate physical or virtual Windows-based or Unix-based operating system. There are 4 typical types of deployment scenarios: Small deployment Medium deployment Large and High-Availability deployment Terminal/Citrix Remote Access gateway deployment

Observeit Small Deployment
The most important number that drives the sizing of an ObserveIT deployment is the number of Concurrent Connected Users (CCUs) you plan to monitor. 1 Application Server (2 for HA). Recommended to use a database on a separate server from the Application Server, but it is OK to have them together. SQL production database disk for user-activity logs: 390 GB ultra-fast disk IOPS (for the current month). SQL production database or file system storage disk for graphical images: 1 TB ultra-fast disk IOPS (for each archived month). Note - for longer data rotation, please user the built-in archive mechanism that can be stored according to your needs online or offline. The most important number that drives the sizing of an ObserveIT deployment is the number of Concurrent Connected Users (CCUs) you plan to monitor.

Observeit Small Deployment
Agent HTTP Traffic HTTP Traffic Agent ObserveIT Admin “All in one” Database Server Application Server Web Console Agent

Observeit medium Deployment
The medium or standard deployment consists of 500 Concurrently connected users. 2 Application Servers (3 for HA) with load balancing. Database server must be on separate server from the Application Server. SQL production database disk for user-activity logs: 780 GB ultra-fast disk IOPS (for the current month). SQL production database or file system storage disk for graphical images: 2 TB ultra-fast disk IOPS (for each archived month). Note - for longer data rotation, please use the built-in archive mechanism that can be stored according to your needs online or offline. Recommendation: The ObserveIT Application Servers should communicate with a central clustered Microsoft SQL Server Enterprise Edition 2008 or higher. The most important number that drives the sizing of an ObserveIT deployment is the number of Concurrent Connected Users (CCUs) you plan to monitor.

Observeit Medium Deployment
Agent HTTP Traffic SQL Traffic Agent Application Server Web Console Database Server HTTP Traffic RAID network File System Agent ObserveIT Admin

Observeit large Deployment
The large or high availability deployment consists of 1000 Concurrently connected users. 4 Application Servers (5 for HA) with load balancing. Database Server must be on separate server from the application server. SQL Production database disk for user-activity logs: 1.5 GB ultra-fast disk IOPS (for the current month). SQL Production database or file system storage disk for graphical images: 4 TB ultra-fast disk IOPS (for each archived month). Note – for longer data rotation, please use the built-in archive mechanism that can be stored according to your needs online or offline. Requirement: The ObserveIT Application Servers should communicate with a central clustered Microsoft SQL Server Enterprise Edition 2008 or higher (enterprise recommended). The most important number that drives the sizing of an ObserveIT deployment is the number of Concurrent Connected Users (CCUs) you plan to monitor.

Observeit large Deployment
DNS Records: oitsrv A oitsrv A Round Robin enabled and record cache set to 0 DNS Server Agent SQL Active Application Server 1 SQL Traffic For the application server, when you have hundreds and thousands of agents and you require some sort of simple LB mechanism, you may use DNS Round Robin. Important: This will NOT provide any method of HA, just a simple LB mechanism, based on DNS, which has NO knowledge of the state of these machines. For the SQL server, Microsoft-based failover cluster is used. Agent SQL HTTP Traffic MS SQL Failover Cluster Agent Active Application Server 2

Observeit large Deployment 2
DNS Records: oitsrv A oitsrv A Round Robin enabled and record cache set to 0 DNS Server Agent SQL For the application server, when you have hundreds and thousands of agents and you require some sort of simple LB mechanism, you may use DNS Round Robin. Important: This will NOT provide any method of HA, just a simple LB mechanism, based on DNS, which has NO knowledge of the state of these machines. For the SQL server, Microsoft-based failover cluster is used. HTTP Traffic Active Application Server 1 SQL Traffic Agent SQL MS SQL Failover Cluster RAID network File System Agent Active Application Server 2 Load Balancing Cluster

Observeit TS/Citrix Deployment
Gateway Server MSTSC PuTTY ObserveIT Agent SSH Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed) Remote and local users Internet A second deployment option is via a gateway server. If users are accessing your servers via a gateway, you can deploy a gateway-based agent only, which then captures the user actions that go through that gateway to each corporate server. ObserveIT Management Server

Observeit Hybrid Deployment
Gateway Server MSTSC PuTTY ObserveIT Agent SSH Corporate Servers (no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) Remote and local users Internet A second deployment option is via a gateway server. If users are accessing your servers via a gateway, you can deploy a gateway-based agent only, which then captures the user actions that go through that gateway to each corporate server. Direct login (not via gateway) ObserveIT Management Server

Observeit pupm active-x Deployment
PUPM Server User desktop Machine Login to this machine only Machine “17” is in “My Privileged Accounts” list in the PUPM server RDP to ObserveIT Agent CAB Transfer PUPM – Privileged user password management: ObserveIT has the capability of integrating with Password vaults such as Lieberman’s ERPM products or CA Control minder. The PUPM Active X agent is not installed on the target user machine initially. When the user checks out a password from the PUPM server and then logs into the target machine, the Active X agent is automatically installed. The agent will then record all of the users sessions regarding that priv-logon. From the initial installation the agent will then stay on the machine and be activated whenever a user logs in via PUPM. OIT Server Contains the installation CAB Test W2012 machine

Observeit integration with aD
Authentication Requirement: Web Console user authentication. Secondary Identification feature activation. Data Query Requirement: Identity theft detection ( to user or admin). One time password (sms to users phone).

Observeit integration with aD
LDAP Traffic (TCP 389) Windows Server 2003/2008 Domain Controller Agent HTTP Traffic SQL Traffic Agent Application Server Web Console Database Server HTTP Traffic Agent ObserveIT Admin

ObserveIT individual components

Observeit components ObserveIT Agent ObserveIT Backend Windows Agent
Application Server Web Console Unix/Linux Agent SQL Database Citrix Agent

Observeit Agent Oracle Linux HP-UX RHEL/CentOS AIX Ubuntu Solaris
The ObserveIT Agent is software that is installed on servers, desktops, laptops, terminal servers, Linux/Unix, Citrix environments, etc. to collect all user activity occurring on those systems. Agents capture screen images throughout each user session, and produce the associated user activity logs. These images and logs are sent to the Application Server in real-time. If an agent cannot connect to the Application Server, it will temporary store the user activity data and send it to the Application Server when it reconnects. There are 2 versions of the Agent: Windows version – Can support all major versions of Microsoft Windows operating systems (32 and 64-bit) Unix/Linux version – runs on major production flavors of Unix/Linux (32 and 64-bit) Oracle Linux HP-UX RHEL/CentOS AIX Ubuntu Solaris Debian SLES (SuSE Linux)

Observeit windows Agent
The ObserveIT Agent is a software component that is installed on any Windows-based operating system (servers and desktop versions) that you wish to record. The ObserveIT Agent is a user-mode executable that binds to every Desktop User Session. It can be installed on any version of Windows, starting from NT 4.0 up to Windows 8.1 and Windows Server 2012 R2. Supports: 32-bit machine 64-bit machine

The ObserveIT Agent Minimum requirements: Hardware Requirements CPU – 2.4 GHz or faster Intel or AMD Processor Memory – 2 GB RAM or more Disk Space – At least 200 MB of free hard disk space .NET Framework – Version 2.0 must always be installed Network Adapter – 100MB/1GB Ethernet Adapter

The ObserveIT Agent capturing data: As soon as a user creates a session on a monitored server, the Agent is started and begins recording – based upon a pre-determined recording policy. The ObserveIT Agent is triggered by user activities such as keyboard and mouse events. Idle time – when a user is reading, or inactive – is not recorded. When triggered, the Agent performs a screen capture. At the same moment it captures textual metadata of what is seen on the screen (window title, executable name, date, time, user name, etc.).

The ObserveIT Agent Offline Mode: The ObserveIT Agent can be configured to allow offline caching of recorded data. This is useful in the event of network malfunctions or disconnection, and for NLB scenarios. When network connectivity is reestablished, the Agent transmits the locally cached data back to the Application Server. In order not to fill the local disk, by default, the local cache holds screenshots. This number is configurable.

The ObserveIT Agent Keyboard stroke image creation: Low (Default) – Every keystroke based on 1 second interval. Medium – Every keystroke based on 0.5 second intervals. High – Every keystroke generates an image.

The ObserveIT Agent API (Application Programming Interface): ObserveIT Agents have an API built into them. You may use various programming and scripting languages or custom DLLs (Dynamic Link Libraries) incorporated into your software to connect to this API and control the Agents’ status. For example, it is possible to start, stop, pause, resume and end recorded sessions. It is possible to start recording based on process IDs, on process names and on web URLs. Recording additional processes can be done into the existing session, or into a new session, thus creating a separate session for each recorded process.

The ObserveIT Agent Security (What stops a user from stopping the Agent?): The ObserveIT Agent is protected by a watchdog mechanism that restarts the Agent in case the process is ended. If a user stops the watchdog process, it is re-started by the ObserveIT Agent. If a malicious user manages to stop both processes at the same time, the ObserveIT health check system will alert the administrator that an Agent is no longer recording, which gives clear indication that someone has deliberately stopped the agent. The agent can also be set up with a password to protect it against unauthorized uninstallation.

The ObserveIT Agent – Network Security: Communication can secured by enabling SSL (Secure Sockets Layer). If needed, an Ipsec (Internet Protocol Security) tunnel can also be used to protect the Agent to Server traffic. HTTPS Traffic or IPSec Tunnel OASIS standards for WS-Secure conversation, including Token Exchange, Digital Signature and Transaction Time-To-Live limit Application Server Web Console

The ObserveIT Agent – Resource Usage: The ObserveIT Agent is a user-mode process, which only runs when a user session is active. The ObserveIT Agent only consumes resources when a user is logged on to the monitored server(s). average of 10MB of RAM/Session average of 1%-5% CPU utilization/Session (only at the moment of capturing data). When multiple concurrent sessions are active (i.e. on a Citrix/Terminal Server), this resource usage must be added to the memory calculation for the server sizing plan.

The ObserveIT Agent – Resource Usage:

The ObserveIT Agent – Network Connections: During installation, the ObserveIT setup creates an additional website in IIS that listens on TCP port 4884. The ObserveIT Agent transmits the captured screenshots and textual metadata to the ObserveIT Application Server via HTTP via this port. This port can be changed (for example - TCP port 80). HTTP Traffic (by default -TCP 4884) Application Server Web Console

The ObserveIT Agent – Network Usage: Each screenshot is between 5-15 KB (depending on screen resolution and changes on screen) Agent only captures user actions and trims idle time, so bandwidth usage is relatively small (50KB packet transfer at one time). ObserveIT Agents are configured to record in grayscale, but color recording can also be enabled. When the following conditions are met, only grayscale recording will be used: A high screen resolution is detected – bigger than 1680 x 1050 Multiple monitors are used

The ObserveIT Agent – Network Usage: Installation is performed over a standard Windows installer package (.MSI) that is well supported by software distribution applications and Group Policy (GPO). Agents can be easily configured to automatically install itself by using a simple batch file. Agents can be auto-configured by using DNS. A password can be used to prevent rouge Agent installation/uninstallation No reboot is required! DNS Integration: In DNS, in the "New Resource Record" window, enter the following information based on these settings: Domain: Your domain name (cannot be changed) Service: _oit (make sure you've added an underscore) Protocol: _tcp (make sure you've added an underscore) Priority: 0 (no need to change, unless more than one ObserveIT Application Server will be used) Weight: 0 (no need to change, unless more than one will be used) Port Number: 4884 (unless changed on the ObserveIT Application Server website) Host Offering this Service: FQDN of the ObserveIT Application Server (for example - win2003-oitsrv.oit-demo.local) To verify, enter the following commands in a Command Prompt window: nslookup set q=srv _oit._tcp.oit-demo.local A sample result of a properly configured SRV Record should look like this: _oit._tcp.oit-demo.local SRV service location: priority = 0 weight = 0 port = 4884 svr hostname = win2003-oitsrv.oit-demo.local win2003-oitsrv.oit-demo.local internet address =

The ObserveIT Agent – Automatic Installation: A sample batch file called ObserveIT.ClientInstall.cmd is included in the ObserveITAgent setup directory. Installation parameters: SERVERURL (mandatory) - Directs it to communicate with the specified Application Server. You can also specify the port number. SERVERURL=” SRVPOLTMPL (optional) - Server Policies Template to inherit policy-based configuration from upon installation. SRVPOLTMPL=" " PWD (optional) - The password that is defined on the ObserveIT Application Server PWD="" PROVIDER (optional) - Configures which computer name will control the Agent's API (for stopping and/or starting the Agent's recording). By default, and unless specified, the computer that will be able to control the Agent's API is the localhost (meaning, the computer on which the Agent is installed). You must specify a computer name. IP addresses cannot be used. PROVIDER=“oitsrv" Installation script sample: msiexec /i "%~dp0ObserveIT.ClientSetup.msi" /quiet /norestart SERVERURL=" /leo "C:\ObserveIT_Agent_setup.txt" SRVPOLTMPL=" " PWD="" PROVIDER="" Removal script sample: msiexec /uninstall "%~dp0ObserveIT.ClientSetup.msi" /quiet

The ObserveIT Agent – ActiveX Installation: ObserveIT Windows Agents can be installed on monitored machines by means of an Active-X installation, which would most likely be embedded into the company’s intranet portals or on other mission-critical web-based applications. Once integrated with the website, whenever a user opens the web browser and connects to the relevant website, they will be prompted to download and install the Active-X installation of the Agent. Once installed and based on the configured settings, all the user actions that are performed inside that specific website or application will be recorded, while other applications or site will be excluded. Once the user closes the website, the Agent will cease to function.

The ObserveIT Agent – Hidden Installation from “Add/Remove Program List: After the ObserveIT Agent is installed, the software will appear in the Add/Remove Programs applet in Control Panel. In addition, when running, a tray icon will appear in the tray notification area. In some cases, administrators might want the Agent to run in a hidden manner. The ObserveIT agent installation file comes with the option of Custom installation: If chosen, this option will allow you to configure ObserveIT to run without displaying in the Add/remove programs. The agent can also be tied to a pre-existing recording policy which will allow the Admin to choose a policy without the show tray icon. We will talk about server policies later in this presentation. Installation script sample: msiexec /i "%~dp0ObserveIT.ClientSetup.msi" ARPSYSTEMCOMPONENT=1 /quiet /norestart SERVERURL=" /leo "C:\ObserveIT_setup.txt" SRVPOLTMPL="3f8feeb2-c878-40c5-a7b1-6dbcae09032c" PWD="" PROVIDER="“

The ObserveIT Agent – Hide the Agent’s Icon: In order to hide the Agent's icon from the tray notification area you will need to create a new Server Policy, or modify an existing one.

ObserveIT unix/linux agent

Observeit Unix/linux Agent
The ObserveIT Agent is a user mode executable that binds to every user’s terminal interactive connection: Acting as a man in the middle the Agent can collect all TTYI/O, System calls, and functions a user performs or illicit. It can be installed on Solaris x86/x86_64 / SPARC architectures and Linux RedHat/Centos 6.x releases, Ubuntu, AIX, and Debian. It can be installed on 32-bit and 64-bit flavors of the supported operating systems. The Unix/Linux agent can monitor SSH, Telnet, Putty, and Rlogin sessions.

The ObserveIT Agent Minimum requirements: Hardware Requirements CPU – 2.4 GHz or faster Intel or AMD Processor Memory – 2 GB RAM or more Disk Space – At least 1GB of free hard disk space Network Adapter – 100MB/1GB Ethernet Adapter Linux: i386, x86-64 Solaris: Sparc, i386, x86-64 HP-UX: Itanium AIX: PowerPC

The ObserveIT Agent Solaris 10 System Requirements: Hardware Requirements CPU – 2.4 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more Solaris 9, update 9; Sparc, Solaris 10, update 4 to update 11; x86/x64 or Sparc Solaris Whole Root Zones are supported; you must install an ObserveIT Agent in each zone. Solaris 11, update 1; x86/x64 or Sparc Note: The Solaris 10 Zones application and resource management feature allows operating systems to appear as virtual environments (zones) that are isolated and secure, thus providing the operating system independence with some level of centralized resource management. Prerequisites: libaio, libc, libcrypto, libcrypto_extra, libdl, libdoor, libgen, libm, libmd, libmp, libnsl, libpthread, librt, libscf, libsocket, libssl, libssl_extra, libumem, libuuid, libuutil, libxml2, libxnet, libz

The ObserveIT Agent AIX 5.3 System Requirements: Hardware Requirements CPU – 1.3 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more AIX 5.3 (TL10 or higher), AIX 6.1, or AIX 7.1; 32-bit/64-bit Prerequisites: libc, libcrypt, libcrypto, libdl, libiconv, libnsl, libpthread, libpthreads, libpthreads_compat, libssl, libthread, libtli, libxml2

The ObserveIT Agent HP-UX System Requirements: Hardware Requirements CPU – 1.3 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more HP-UX versions and 11.31, Itanium architecture (64-bit) Prerequisites: libc, libcrypto, libdl, libgen, libiconv, liblzma, libm, libnsl, libpthread, libssl, libxml2, libxnet, libxti, libz

The ObserveIT Agent RHEL/CentOS System Requirements: Hardware Requirements CPU – 1.3 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more RHEL/CentOS , or ; i386/x86_64 Prerequisites: ld-linux, libc, libcom_err, libcrypto, libdl, libgssapi_krb5, libk5crypto, libkeyutils, libkrb5, libkrb5support, libm, libnsl, libpthread, libresolv, librt, libselinux, libssl, libutil, libuuid, libxml2, libz

The ObserveIT Agent Oracle Linux System Requirements: Hardware Requirements CPU – 2.4 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more Oracle Linux , or ; i386/x86_64 Prerequisites: ld-linux, libc, libcom_err, libcrypto, libdl, libgssapi_krb5, libk5crypto, libkeyutils, libkrb5, libkrb5support, libm, libnsl, libpthread, libresolv, librt, libselinux, libssl, libutil, libuuid, libxml2, libz

The ObserveIT Agent SLES (SuSE) System Requirements: Hardware Requirements CPU – 2.4 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more SLES SuSE 10 SP2-SP4, or SuSE 11 SP2-SP3; i386/x86_64 Prerequisites: ld-linux, libc, libcrypto, libdl, libm, libnsl, libpthread, librt, libssl, libutil, libuuid, libxml2, libz

The ObserveIT Agent Debian System Requirements: Hardware Requirements CPU – 2.4 GHz or faster Intel or AMD Processor Memory – 1 GB RAM or more Debian 6 and 7 (64-bit) Prerequisites: ld-linux, libc, libcrypto, libdl, libm, libnsl, libpthread, librt, libssl, libutil, libuuid, libxml2, libz, liblzma

The ObserveIT Agent – Capturing Data: When a user creates a session on a server, the Agent is started and begins recording, based upon a pre-determined recording policy, which is being downloaded from the Application Server. The ObserveIT Unix/Linux Agent is triggered by Command Line Interface (CLI) events. When a user is inactive, the Agent is not recording. The Agent is active only when CLI activity is detected. Even if the Agent is active. When triggered, the Agent captures commands and their output. It also captures selected system calls metadata (Like OPEN/CHOWN/UNLINK and other file operations system calls).

The ObserveIT Agent – Capturing Data: The ObserveIT Unix/Linux Agent captures all the internal actions and the names of files/resources affected by command line operations. Command line: Each user command line entry is captured. Visual Screen Activity: Everything on the screen is visually recorded, including user input and screen output. System Calls: ObserveIT also captures system calls triggered by each user command. Every file create/delete/open/permission change, process creation and link creation is fully exposed. (ex: If the user runs an alias script named innocentScript that includes system calls to delete files and change user permissions, this info will also be captured.) Resources affected: In addition, captures each file or resource affected by the user command. (ex: If the user types rm *.txt, ObserveIT will show the exact name of each file that was deleted)

The ObserveIT Agent – Architecture: The Unix/Linux Agent uses technique known as "library/function interposition" in order to hook/inject itself into processes. It remains inactive until the moment it detects creation of the interactive session (by the virtue of the creation of a new pseudo tty device). When activated, it spawns an auxiliary process (logger) that receives metadata ("interesting" system calls and library functions) reports sent by the agent hooked into the child processes. The logger process also collects all the interactive (keyboard input/output) data passing through the original pseudo tty device. When interactive session terminates, the logger also exits after making sure all the data has been sent to the server.

The ObserveIT Agent – Network Utilization: A typical CLI event is considered from the moment Enter is pressed till 1KB of data is accumulated, or after a maximum of 5 seconds from the last event. A session that has a high CLI activity usage and intensity will produce more data, therefore, more packets will be sent from the Agent to the Application server. Data of a typical average user event including metadata will consist of 10 – 20 KB. Since the Agent only captures user actions and trims idle time, bandwidth usage is relatively narrow. Client-side or server-side compression can be used to reduce the size of the traffic transmitted by the Agents to the Application Server, but will incur additional CPU resource usage on the client-side.

The ObserveIT Agent – Network Utilization: The ObserveIT Agent uses an average of 5-20 MB of RAM, about 0.1% CPU utilization when idle and 0.7% CPU utilization in average when recording. The ObserveIT Agent only consumes resources when a user is logged on to the monitored server(s).

The ObserveIT Agent – Security: Unlike other Unix/Linux utilities that log user actions, users (even root users) are not able to close the Agent in any way. The Agent embeds itself into any shell that is derived from a login process. This mechanism is connected both to the shell and to the auditing process, thus disabling any opportunity of tampering or closing the agent without closing the shell. The Agent transfers all captured data to the ObserveIT Application Server securely, using advanced encryption algorithms.

The ObserveIT Agent – Security: When triggered, the Agent performs capture of CLI activity. At the same moment it captures system calls metadata that are operated by the commands. The ObserveIT Agent auxiliary process (logger) sits between the pseudo tty and the interactive shell (man-in-the-middle). If this process is terminated it will cause the interactive session (shell) to be terminated as well.

The ObserveIT Agent – Solaris: Agent installation is simple, and can be a one-step or a two-step process: Installation + Agent registration: ./observeit-agent-solaris10-i386-release-5.5.xx.run -- -I –s <ServerIP>:<Port> No reboot is required! Agent health check: /usr/lib/obit/oitcheck Follow the steps outlined in this document to install the ObserveIT Agent: Obtain the ObserveIT Unix Agent installation file and copy it to the Unix server(s). Log in to the target server with root permissions. Or, alternatively, use the pfexec command. Run the ls –l command and verify that the file has execute permissions (-rwxr-xr-x). Otherwise, use chmod +x for the Agent’s file name. Run the following command (based on the version of the system CPU architecture): For Solaris i386: ./observeit-agent-solaris10-i386-release-5.3.xx.run -- –s <ServerIP>:<Port> For Solaris Sparc: ./observeit-agent-solaris10-sparc-release-5.3.xx.run -- –s <ServerIP>:<Port> Where <ServerIP> is the IP address or name of the ObserveIT Application server and <Port> is the TCP port used by the ObserveIT Application server. By default, the port number used by the ObserveIT Application server is Please review the following examples: A FQDN (Fully Qualified Dom0ain Name) like: oit-srv.observeit-sys.local oit-srv.observeit-sys.local:5775 An IP (Internet Protocol) address of ObserveIT application server like: :5775 By default, ObserveIT's server installation will create an additional web site that will be configured to listen to TCP port Please read the ObserveIT Enterprise Installation, Change IIS 6.0 Listening Port or Change IIS 7.X Listening Port help topics respectively for more information. If the ObserveIT Application server is configured to use the default TCP port (4884), you may omit the server port. However, if the ObserveIT Application server port is changed you will need to specify the alternative port. In addition, you may use the -p <POLICY-GUID> option, where <POLICY-GUID> is the GUID of the policy you wish to link the Agent to. Installation output sample: Verifying archive integrity... All good. Uncompressing ObserveIT Solaris agent... Installing ObserveIT agent Copyright 2010 ObserveIT LTD. All rights reserved. Use is subject to license terms. Installation of <OBSVobit> was successful. Successfully registered this machine and saved configuration Close current session by typing exit or pressing CTRL+D. Agent Health status You may wish to check the Agent’s registration and health status. To do so, run the following command: /usr/lib/obit/oitcheck The result should look like this: Detected Solaris OS Check for OBSVobit package: PASS VERSION: 5.3.xx Check for obitd service: PASS STATUS: online Check that obitd daemon running: PASS Check for /var/run/observeit directory: PASS Check for /etc/observeit/obit.conf: PASS HostURL: WebConsoleURL: Check for liboit.so.1 linkage: PASS If all checks passed successfully, you may begin using the ObserveIT Agent. All the user actions in remote SSH and Telnet sessions will now be recorded. To begin recording user actions that are performed on the monitored Unix servers, you must close the current session (which was used to perform the installation outlined above, if it is still open). Then, you need to open a new SSH session to the monitored server. To view the recorded sessions please use the ObserveIT Web Management console.

The ObserveIT Agent – Linux: Here too, Agent installation can be a one-step or a two-step process: Installation + Agent registration: ./observeit-agent-linux-5.5.xx.run -- -I -s <ServerIP>:<Port> No reboot is required! Agent health check: /usr/sbin/oitcheck

ObserveIT Application Server

Observeit Application Server
The Application Server is the central aggregation point for all user activity data collected by agents and is also responsible for getting all collected user activity data from agents into the Database. Each ObserveIT Application Server can handle up to 250 CCUs. It is important to note that the number of agents is not a critical aspect of sizing for the Application Server, it is the number of CCUs those agents are monitoring that is important: After being captured by the Agent, both the textual metadata and graphic image are bundled into a packet, and sent to the ObserveIT Application Server. The ObserveIT Application Server is a stateless ASP.NET application that runs in the context of Microsoft Internet Information Server (IIS). The ObserveIT Application Server receives the data from the Agent, validates it, and then stores it into the ObserveIT Database. In addition, the Application Server periodically provides configuration information to the Agents.

Observeit Application Server
The Application Server Minimum system requirements: Hardware Requirements Operating system: Windows Server 2008 and higher CPU: 4-8 cores RAM: 8-16 GB Hard disk: 80 GB Machine can be virtual if all performance issues are taken into consideration. Software Requirements Microsoft Windows Server 2008/2008 R2/2012/2012 R2 (it is recommended that you always use the latest Service Pack for your operating system). Both 32-bit and 64-bit versions are supported. Microsoft Internet Information Server (IIS) 6.0 or higher with ASP .NET (version depends on the version of Windows Server that you're using) .NET Framework (version 4.0 must always be installed).

ObserveIT database Server

Observeit Database Server
The Database server stores all ObserveIT user activity logs, reports and configuration settings. Graphical images can either be stored inside the SQL database or on a file system. Average disk space for an eight-hour desktop working session is 0.2 GB per user. This number is composed of two parts: user activity logs (30% of the total storage) and screen images (70% of the total storage). This will be drastically reduced if a custom recorded policy is enabled that excludes applications and/or users from the recording: All the data captured by ObserveIT is stored in a Microsoft SQL Server database, on the Database Server. This information is stored along with the User Activity Logs describing what is seen on the screen. This provides the ability for very powerful searches across the entire enterprise. Normally, ObserveIT stores all recorded data - visual images and metadata - to a Microsoft SQL Server. Using Microsoft SQL Server ensures compatibility with industry standards and backup and high-availability products and solutions.

The Database Server Minimum system requirements: Hardware Requirements Operating system: Windows Server 2008 and higher CPU: 4-8 cores RAM: 8-16 GB Hard disk: 80GB SQL Logs Hard Disk: 500GB (1 TB) Recommendation that the machine be physical for large deployment Software Requirements Microsoft Windows Server 2008/2008 R2/2012/2012 R2 (it is recommended that you always use the latest Service Pack for your operating system). SQL Server 2008/2008 R2/2012 with the latest Service Pack SQL Server 2008 R2 Express Edition Note: It is recommended that you use a regular full-featured version of SQL Server, as the Express Edition has database size limitations (for example, 10 GB in SQL Server 2008 R2 Express).

The ObserveIT Database – Using a Local File System Store: Screenshots can be stored in a centralized file-systyem location (NAS/SAN). ObserveIT still requires SQL Server to store all the recorded metadata, image pointers and configuration settings to the Microsoft SQL Server. The amount of data recorded by the ObserveIT Agents is not a constant number, but based upon the profile of a typical recorded user session. You need to determine the amount of user actions per typical session, and the amount of such sessions per day/week/month. The overall size of the database can be predicted based on typical session sizes that were captured during the POC phase. Normally, ObserveIT stores all recorded data - visual images and metadata - to a Microsoft SQL Server. Starting from version 5.3 and higher, ObserveIT can be configured to store all recorded visual images to the database server's local hard disk. Note that this does not mean that you can install ObserveIT without the need to have a functional SQL Server. ObserveIT still requires SQL Server to store all the recorded metadata, image pointers and configuration settings to the Microsoft SQL Server. In order to change the data storage location from the SQL Server database to the local file system follow these steps: 1. Use Notepad or any similar text editing tool to edit the "SQLPackage.exe.config" file located in the DB folder which was created when you extracted the setup files from the archive. 2. Locate the following line <add key="FileSystemPath" value="" /> 3. In the value="" field, enter the full path to the folder where you want to store all the recorded visual images. For example: <add key="FileSystemPath" value="C:\OIT-Data" /> Note: Make sure you have enough storage space on the disks that store that folder. Data can quickly accumulate both in file numbers and overall data size. Also, make sure you implement all relevant file-level security on this folder in order to prevent any unauthorized user from being able to access and make changes to this folder. ObserveIT will not control the security aspects of this configuration. 4. Save the file. 5. Proceed with the database installation.

The ObserveIT Database – Database Sizing: Screenshots are affected by Client Screen Resolution Client using multiple monitors Filtering applications Typical average user action screenshot ~5 – 15 KB in size. Each screenshot size is affected by a number of parameters: Gray scale or color recording – the default is gray scale. Client screen resolution – the higher the screen resolution, the more data is captured. Client using multiple monitors - clients using 2 monitors will generally generate almost twice the amount of captured data than a client working with just one monitor. Filtering applications – by default, all applications are recorded in normal sessions. You can filter them and record only specified applications. File location: C:\Program Files\ObserveIT\ObserveITAgent\bin\rcdcl.exe.config

The ObserveIT Database – Database Sizing: An existing ObserveIT client with around 1000 servers averages 500GB per year with a moderate level of activity. Servers with multiple concurrent user sessions such as Terminal or Citrix servers require more space, depending on the amount of user activity. This modest requirement is because No Idle time is recorded Using gray scale Data compression Filter the applications that are recorded (i.e. only record management tools, LOB applications, or all except specific applications).

The ObserveIT Database – Database Sizing: Data is, by default, never deleted from the ObserveIT database. To help reduce database sizes: Archive old data that may be needed in the future and store it in an offline database. Filter the applications that are recorded (i.e. only record management tools, LOB applications, or all except specific applications). A feature to purge data can be enabled to remove all data collected for a server from a Database. Individual sessions can be removed via a query run directly into the database. For security protection ObserveIT does not allow the deletion of data up to 72 hours from its creation to be deleted.

The ObserveIT Database – Database Security: Data is, by default, never deleted from the ObserveIT database. To help reduce database sizes: When enabling DB Security, the data is digitally signed and encrypted when it is stored in the database. A water mark is displayed on each slide. Access to the data is limited by permissions defined within the Web Management Console. Encryption via Certificate can be enabled to secure data both at Rest and in transit. Screencaptures are stored in a SQL database or on a file system. encrypted by Rijndael 256-bit key (AES encryption). In order to protect this key, it is encrypted by 2048-bit X509 certificate (with an RSA encryption key). Tip: ObserveIT stores all data inside SQL databases. By utilizing your existing backup solutions you can easily backup your SQL server, and thus protect your ObserveIT data and configuration. If needed, you can also consult with these online Microsoft knowledge base articles: SQL Server 2000 Backup and Restore - Backing Up and Restoring Databases in SQL Server How to: Back Up a Database (SQL Server 2008) - Backup Overview (SQL Server) -

ObserveIT web console Server

Observeit web console The ObserveIT Web Console – Main tasks:
The Web Console provides ObserveIT’s web-based user interface. Reporting, analytics, alerting, user session playback and configuration management are all performed via the Web Console. A single Web Console is deployed per an ObserveIT deployment. Web Console main tasks: replay sessions Search, report, and alert Configuration ASP.NET application that runs in the context of a Microsoft Internet Information Server (IIS). Granular permissions can be granted for specific ObserveIT Administrators (called Console Users) to only view data recorded on specific servers or specific users. Access to the Web Management Console is audited. Only way to access the information stored in the ObserveIT Database.

Observeit web console The Web Console Server Minimum system requirements: Hardware Requirements Operating system: Windows Server 2008 and higher CPU: 4-8 cores RAM: 8-16 GB Hard disk: 80GB Machine can be virtual if all performance issues are taken into consideration. Supported Browsers Internet Explorer (IE) – 9, 10, and 11 Mozilla Firefox – 31 and Higher Google Chrome – 36 and higher Software Requirements Microsoft Windows Server 2008/2008 R2/2012/2012 R2 (it is recommended that you always use the latest Service Pack for your operating system). Both 32-bit and 64-bit versions are supported. Microsoft Internet Information Server (IIS) 6.0 or higher with ASP .NET (version depends on the version of Windows Server that you're using) .NET Framework (version 3.5 must always be installed).

ObserveIT custom installation

ObserveIT: Technical training for onboarding sales engineer

Similar presentations

Presentation on theme: "ObserveIT: Technical training for onboarding sales engineer"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

ObserveIT: Technical training for onboarding sales engineer

Similar presentations

Presentation on theme: "ObserveIT: Technical training for onboarding sales engineer"— Presentation transcript:

Similar presentations

About project

Feedback