1.58k likes | 3.21k Views
ObserveIT Technical Training. Ilan Sharoni Director Technical Sales/Pre Sales ilan@observeit.com. Introduction. Agenda. ObserveIT Architecture “One Click” Installation (+Unix Installation) Configuring ObserveIT Basic Use Cases ObserveIT Deployment Scenarios.
E N D
ObserveIT Technical Training Ilan Sharoni Director Technical Sales/Pre Sales ilan@observeit.com
Agenda • ObserveIT Architecture • “One Click” Installation (+Unix Installation) • Configuring ObserveIT • Basic Use Cases • ObserveIT Deployment Scenarios
Lab setup – Course Specific • Each student runs VMware Workstation • 1 VM running Microsoft Windows Server 2008 R2 • Active Directory • Microsoft SQL Server 2008 Express • ObserveIT latest version binaries • Reseller license file • 1 VM running CentOS • 1 VM running Ubuntu (Optional)
WHAT IS OBSERVEIT • Platform for User Activity Monitoring. • Acts like a security camera on your servers • Helps meet the compliance and security challenges • ObserveIT captures all activity, even for applications that do not produce their own internal logs. • Identity Theft Detection • Shared Account handling • Key Logger
ObserveIT Architecture • client/server • scalable • distributable software application. It consists of four components: • ObserveIT Agent (s) • ObserveIT Application Server (s) • ObserveIT Web Management Console • ObserveIT Database Server ObserveIT Agent Application Server Web Console Database Server ObserveIT Admin
ObserveIT Agent - Recording • Record user activity (Meta Data + Screen Capture) • Runs on Windows and Unix • Send recorded information to “ObserveIT Application Server” • Recording is based on “Recording Policy” ObserveIT Agent Application Server Web Console Database Server ObserveIT Admin
ObserveIT Application Server • Manage multiple Agents • Receives user activity information from Agent • Stores record data in centralized database (sql server or filesystem) ObserveIT Agent Application Server Web Console Database Server ObserveIT Admin
ObserveIT Web Console • IIS Web application • Main Features: • view stored sessions • Configure “Recording” Policy • Configure “Access Control” Policy ObserveIT Agent Application Server Web Console Database Server ObserveIT Admin
ObserveIT Databases • Support Both Microsoft SQL Server databases and Filesystem storage • Data is secured and digitally signedand encrypted • Data can be archived
Supported Platforms - Agents • Windows : • Windows 2000 - 2008 Server • Vista, XP, Windows 7 • Unix • Solaris 10 u4-u10 • RHEL CentOS 5.4,5.5,5.6, 6.x • Ubuntu 10.0.4 • AIX 5.3
Supported Platforms Application Server • Windows 2003 Server • Windows 2008 Server • .NET 2.0 • IIS 6.0 or 7.0
ObserveIT –Demo(The instructor will do a 30 minutes demo of the product)
Installing ObserveIT • The "One Click" installation method is the easiest way to deploy ObserveIT • If needed, each of the ObserveIT components can be installed separately as part of a custom installation • Installation order: • Database creation • Web Management Console server • Application server • Windows Agents
“One Click” Installation • To run the ObserveIT “One Click” installer, run the Setup.exefile. • In the main installation screen there are 3 separate configuration sections: • SQL Server settings • Web applications (Web Management console and Application server) settings • Licensing • Installation will also install an Agent locally.
Database The following databases will be created • ObserveIT • ObserveIT_Data • ObserveIT_Archive_1 • ObserveIT_Archive_template The following user will be creates: ObserveITUser (do not delete or change the password !!)
Hands on • VM Setup and ObserveIT “One Click” installation • Follow Student Guide sections 1 – introduction 2 - Prerequisites & System Requirements 3 - One-Click Installation 5.11 – Installation ObserveIT Agent on CentOS 5.12 – Installation ObserveIT Agent on Ubuntu Length: 45 minutes
Configuring ObserveIT • Presentation: “ObserveIT_user_Training_guide__Configuring_ObserveIT_<date>.PPT”
Logging on to the Web Console • Use the following URL to connect to the ObserveIT Web Management Console: • http://servername:4884/ObserveIT • If this is your first time using the ObserveIT Web Management Console, you will be prompted to change the default "Admin" password.
The ObserveIT Web Console – Sessions browser • Areas to replay sessions and study the recorded data: • Server Diary • User Diary • Search • Reports
Windows User Activity recording • Agent will record users and applications that are specified in the recording policy • Only user activity is recorded • User Idle time is not recorded – Movie, script • Video Analysis contains “Windows Tile” and “Application Name”
Unix User Activity recording • Agent will record users that are specified in the recording policy • All SSH in/out is recorded (not related to user activity) • Idle time – relevant for session timeout only. • Video Analysis contains “System Calls” and “Function Calls”
The trainer will show demo of the : • reports • search
Hands on • Basic use cases • Follow Student Guide section : 4. Basic Use Cases 4. 1 Simulating User Activity 4.2 Auditing the User Activity 5.13 Simulate User Activity on Unix 5.14 View Linux Recorded Session Length: 60 minutes
ObserveIT Deployment Scenarios • A typical ObserveIT installation consists of multiple monitored servers (or Agents), each installed on a separate physical or virtual Windows-based or Unix-based operating system. • There are 4 typical types of deployment scenarios: • Small deployment • Medium to large deployment • High-Availability deployment • Terminal/Citrix Remote Access gateway deployment
Small Deployment • Less than 100 servers • 5-10 administrators in a single data center. • The Application and the Web Management Servers will be installed on the same platform • Database Server can be installed on the same platform (“All in one”).
Small Deployment Agent HTTP Traffic HTTP Traffic Agent “All in one” Database Server Application Server Web Console ObserveIT Admin Agent
Medium to Large Deployment • 100-1000 Servers • Application Server + Web Console on same machine • Microsoft SQL Server on separated machine • If needed, customer’s existing SQL Server can be used, or a new instance can be created. • ObserveIT Events, Metadata and Configuration are stored in SQL Server • Screens/Slides stored on File System
Medium to Large Deployment Agent HTTP Traffic SQL Traffic Agent Application Server Web Console Database Server HTTP Traffic RAID network File System Agent ObserveIT Admin
High Availability Deployment • Multiple Application Servers • Using “Load Balancer” or “Round Robin” • Cluster-based implementation of Microsoft SQL Server. • SQL Server will most likely be using a dedicated storage device. • ObserveIT recorded videos will be saved on RIAD Shared network device
High Availability Deployment DNS Records: oitsrv A 192.168.100.11 oitsrv A 192.168.100.12 Round Robin enabled and record cache set to 0 DNS Server Agent SQL 192.168.100.11 Active Application Server 1 SQL Traffic SQL Agent HTTP Traffic 192.168.100.12 Active Application Server 2 MS SQL Failover Cluster Agent
High Availability Deployment DNS Records: oitsrv A 192.168.100.10 *Offline Mode enabled DNS Server Agent SQL Active Application Server 1 HTTP Traffic SQL Traffic 192.168.100.10 SQL Agent Active Application Server 2 MS SQL Failover Cluster Load Balancing Cluster Agent RAID network File System
TS/Citrix Remote Access Gateway Deployment • Remote connections will connect to the Terminal Server(s) or Citrix Server(s). • On these machines, only the applications required for the remote users' workwill be published. • The ObserveIT Agent will be installed on the Terminal Server(s) or Citrix Server(s), capturing all remote sessions on these machines. • Visual recording will be available for all the remote users' actions. • Less Metadata will be available for the recorded sessions.
Gateway Jump-Server Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Corporate Servers (no agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users ObserveIT Management Server
Hybrid Deployment PuTTY MSTSC Corporate Servers(no agent installed) Corporate Desktops (no agent installed) Sensitive production servers (agent installed) SSH GatewayServer ObserveIT Agent Internet Remote and local users Direct login (not via gateway) ObserveIT Management Server
PUPM Active-X architecture PUPM Server 10.2.56.78 User desktop Machine 10.2.56.74 Login to this machine only Machine “17” is in “My Privileged Accounts” list in the PUPM server RDP to 10.2.3.17 ObserveIT Agengt CAB Transfer OIT Server 10.2.56.76 Contains the installation CAB DimaW2003 machine 10.2.3.17
Integration with Active Directory Authentication requirement: • Web Console user authentication • Secondary Identification Data query requirement : • Identity theft (email to user) • One Time password (sms to users phone)
Integration with Active Directory LDAP Traffic (TCP 389) Windows Server 2003/2008 Domain Controller Agent HTTP Traffic SQL Traffic Agent Application Server Web Console Database Server HTTP Traffic Agent ObserveIT Admin
The ObserveIT Components • ObserveIT Agent • Windows Agent • Unix / Linux Agent • ObserveIT Server-side components • Application Server • Web Management Console • Database
ObserveIT Agent • The ObserveIT Agent is installed on all systems which require monitoring. • There are 2 versions of the Agent: • Windows version – runs on all versions of Microsoft Windows operating systems (32 and 64-bit) • Unix/Linux version – runs on several versions of Unix/Linux (32 and 64-bit)
The Windows Agent • The ObserveIT Agent is a software component that is installed on any Windows-based operating system (servers and desktop versions) that you wish to record. • The ObserveIT Agent is a user-mode executable that binds to every Desktop User Session. • It can be installed on any version of Windows, starting from NT 4.0 up to Windows 7 and Windows Server 2008 R2. • Supports: • 32-bit machine • 64-bit machine
The Windows Agent – Capturing Data • As soon as a user creates a session on a monitored server, the Agent is started and begins recording – based upon a pre-determined recording policy. • The ObserveIT Agent is triggered by user activities such as keyboard and mouse events. • Idle time – when a user is reading, or inactive – is not recorded. • When triggered, the Agent performs a screen capture. • At the same moment it captures textual metadataof what is seen on the screen (window title, executable name, date, time, user name, etc.).
The Agent – Offline Mode (Windows+Unix) • The ObserveIT Agent can be configured to allow offline caching of recorded data. • This is useful in the event of network malfunctions or disconnection, and for NLB scenarios. • When network connectivity is reestablished, the Agent transmits the locally cached data back to the Application Server. • In order not to fill the local disk, by default, the local cache holds 1000 screenshots. This number is configurable.