Frequently Asked Questions

A. No, this is ObserveIT's main benefit and one of the fundamental reason you are using ObserveIT: The ability to easily and quickly find the information you need about what is happening on your servers. ObserveIT's unique, patented technology provides multiple search capabilities: context sensitive, free text and reports, that are specifically designed to allow you to pinpoint the exact actions you are interested in.

A. Yes, within the Web Console it is possible to define what the Agent records. By using inclusion or exclusion, you can control many aspects of the recording policy, such as the users being recorded, the list of applications being recorded, and so on.

A. Yes, an entire session or part of a session can be exported to a standalone executable of the video sequence. This can be used for offline viewing or as evidence for user actions in case such information is required by an auditor.

A. Part of the ObserveIT configuration is the ability to identify generic accounts like the built-in Administrator, that require additional authentication when used to login to a server. The Agent uses ObserveIT Identification Services to prompt for additional identification and authentication before the user is allowed to proceed. All actions performed on the server are then linked to the specific user account. With this feature, you can easily identify which one of your external vendors that are using the Administrator built-in account have logged on, and you can use this information to filter what recordings you'll need to watch.

A. Within ObserveIT's Web Console you can view many types of reports. These reports are created by querying from three main components - server, user, and a resource which can be any screen element that the user interacts with: menus, application dialog, files and so on. The following are examples of some of the ObserveIT reports:

• List users that have accessed selected servers by date and time
• List users that have accessed selected resources such as files, applications, configuration property pages, etc.
• List resources (registry entries, applications, screens, files, etc.) that were accessed on selected servers by date and time
• List installed/uninstalled applications on selected servers
• List installed/uninstalled application by selected users

A. When you identify that a portion of the captured user session correctly represents a best practices method, or otherwise demonstrates the correct process for repeated tasks, you can tag that recording and save it for training purposes. These recordings can be later accessed by using the ObserveIT Web Console without having to go through the search process again.

A. ObserveIT provides a mechanism for 3rd-Party monitoring and management software to interact with the metadata that is stored within ObserveIT's database, and through this interaction you can configure your existing monitoring tools to generate an alert whenever a specified resource is accessed. This includes access to files, registry entries, application property pages or any other screen element. These alerts can be sent by email, pager, SNMP event, SMS, based upon the capabilities of your existing monitoring software.

A. All versions of Windows NT/2000/2003/2008 Server are currently supported, including 32-bit and 64-bit versions.

A. The ObserveIT Agent can be installed on the following platforms:
Windows: NT/2000/2003/2008 and Windows XP/Vista/7, including 32-bit and 64-bit versions.
Unix:

• Linux RedHat/CentOS versions 5.4 to 5.6, including 32-bit and 64-bit versions.
• Solaris 10 updates U4 to U9 (SPARC and x86 processors)

A. All IIS versions that are part of Windows 2000/2003/2008 Server are currently supported, meaning IIS 5.0/6.0/7.0/7.5.

A. All SQL versions are currently supported, meaning SQL 2005/2008 and MSDE/SQL Server 2005 Express Edition.

A. The Web Console can be best viewed by using Internet Explorer 6,7 and 8.

A. Yes, the Web Console can be viewed by using other non-IE web browsers such as Firefox, Safari, Chrome or Opera.

A. The Application Server, Management Server (Web Console) and Database Server can be installed on a single server or distributed on multiple servers, based upon the client's requirements and performance tuning. The ObserveIT Agent is deployed on any server that is to be monitored in the enterprise. The following diagram illustrates the components and their relationship.

A. There is no inherent limit on the number of managed instances. ObserveIT for Servers scales up and out to support as many systems as necessary.

A. Yes, there is a published set of APIs and an SDK that developers and administrators can use to integrate functionality with 3rd party applications.

A. Each of the server components can coexist with other applications using the same physical hardware platform. ObserveIT has specific configuration settings to allow integration with Active Directory, CA e-Trust, Microsoft MOM, SCOM and other application software.

A. Unlike other screen recording software, ObserveIT does not store the recordings in individual files. All the data captured by ObserveIT is stored within a Microsoft SQL Server database, on the Database Server. Because this information is stored along with the metadata describing what is seen on the screen, you can perform very powerful searches across your entire enterprise.
Note: Starting from 5.3.0 release, videos can also be stored on a file system.

A. The Application Server is stateless and multiple Application Servers can be deployed using a load balancing network device. The Database Server is based on MS SQL Server technology which supports a distributed database architecture across multiple hardware platforms. For more information, please refer to the Implementing ObserveIT in the Enterprise white paper.

A. The data is digitally signed and encrypted when it is stored in the database. Access to the data is limited by permissions defined within the Web Console, and any access to this data is audited by ObserveIT.

A. The ObserveIT Agent to ObserveIT Application Server secure conversation implements OASIS standards for WS-Secure conversation, which allows security contexts to be created and key material to be exchanged more efficiently. Binary data is serialized and is stamped with a token key and digitally signed. In order to prevent session hijacking, ObserveIT uses a 2-minutes transaction Time-To-Live parameter.
In addition to the built-in security mechanism, you can further secure the Agent to Server communication by configuring IIS on the Application server to require SSL, and the Agent to use HTTPS instead of HTTP. When using SSL, packet payloads are encrypted and protected from packet analyzers and other sniffing tools. By using SSL you can protect the communication with means of a industry strength security protocol which is widely accepted and can easily traverse firewalls and other security devices.

A. ObserveIT's Agents communicate with the ObserveIT Application Server by using the HTTP protocol. When installing a new Application Server, by default, ObserveIT's server installation will offer to create an additional web site in IIS that will be configured to listen to TCP port 4884. However, it is also possible to use the regular HTTP protocol specifications and use TCP port 80 instead. If SSL is implemented in the deployment scenario, the data is sent over HTTPS (SSL) to the ObserveIT Application Server. This is done over TCP port 443.
The Application Server communicates with the Database Server on the default SQL Server port at TCP 1433.

A. All you need to do is to enable the security option in the ObserveIT web console. This enables secure communication between the Agent and the application server. The security mechanism for the communication includes:

• Encryption (Rijndael)
• Digital signing
• Token exchange

You can further secure the communication by configuring IIS on the Application server to require SSL, and the Agent to use HTTPS instead of HTTP.

A. The ObserveIT Agent is a user-mode executable that binds to every user session. As soon as a user creates a session on a monitored server, the Agent is started and begins recording – based upon a pre-determined recording policy. The ObserveIT Agent is triggered by user activities such as keyboard and mouse events. Idle time – when a user is reading, or inactive – is not recorded. When triggered, the Agent performs a screen capture. At the same moment it captures textual metadata of what is seen on the screen (window title, executable name, date, time, user name, etc.).
The captured data is packaged and delivered in real-time. No caching is performed on the recorded server, and no files are stored on the server's file system.
The Agent is protected from accidental or deliberate stopping by a watchdog process.

A. There is a health check process that polls the Agents, Application Server(s) and Database Server to verify communication and functionality.

A. Yes, ObserveIT can use both mixed and Windows authentication when connecting to the SQL server. However, in order to work with Windows authentication, there are some additional steps that must be performed. Please consult with the product documentation for more information.

A. Administrators are Console Users that can log on to the Web Management console and view recordings, and also make changes to the ObserveIT configuration. View-Only administrator are Console Users that can log on to the Web Management console and view recordings, but cannot make any changes to the ObserveIT configuration or permissions.

A. Any user interaction with the server console can be captured and monitored, whether it is via Terminal Services Client, Citrix, Remote Desktop, PcAnywhere, VNC, DameWare, Radmin or NetOP.

A. In addition to capturing the screen image for each user action, ObserveIT extracts information about the state of the operating system and the application being used, which allows ObserveIT to precisely identify what the user is doing in any given moment. This metadata is analyzed and encoded in a standardized format that is stored in the Database Server. Because this information is stored along with the metadata describing what is seen on the screen, you can perform very powerful searches across your entire enterprise.

A. ObserveIT's patented technology has the ability to identify each type of user interaction (dialog boxes, configuration tabs, confirmation prompts) including the result of that action, and index it as metadata for search and retrieval. In addition to the screen information, the captured metadata provides the context for each user action performed on the server. Unlike some other monitoring software, the Agent only captures during user activity and the data is compressed to conserve bandwidth and storage.

A. ObserveIT captures and records all activities which require user input from either the keyboard or mouse.

A. ObserveIT does not record idle time and where there is no user input.

A. You can audit and search for any action performed by any user that is logged on to a user session on the monitored server. This means that if a user accesses the server via RDP/Citrix/VNC and so on, and the server is monitored, you'll be able to record all the user's actions. However, if the user accesses the server via UNC over the network, you will not be able to record this access unless you also monitor the user's workstation.

A. You can audit and search for any action performed by any user that is logged on to a user session on the monitored server. However, if the management is done remotely by using tools that do not create a user session, then these actions will not be captured on the monitored server. In order to audit remote management operations like these you'll need to install an ObserveIT Agent on the management workstation and configure it to only capture management tools such as MMC, Command Prompt, Telnet, Registry Editor and so on.

A. The answer is "it depends on how you did it". For example, if the administrator used RDP to connect to the DC and open ADUC and perform the actions, then yes, he or she would be recorded (given that there's an Agent installed on the DC). However, if they used the local ADUC MMC snap-in on their workstation, then no, they would not be recorded as no user session was created on the monitored DC. To solve this scenario, one would look into installing the Agent on each management workstation, and configuring the Server Policy to only record administrator-based applications such as MMC, Regedit, Notepad, CMD, PowerShell and so on.

A. Yes. The Agent recording settings are configured through policies, either at the server level, or on a group of servers. From within the ObserveIT Web Management console it is possible to define what the Agent is to capture. By using inclusion or exclusion, you can control many aspects of the recording policy: the users, applications, specific files, URLs and specific keystroke events.

A. Unlike other screen recording software, ObserveIT does not store the recordings in individual files. All the data captured by ObserveIT is stored within a Microsoft SQL Server database, on the Database Server. Because this information is stored along with the metadata describing what is seen on the screen, you can perform very powerful searches across your entire enterprise.
Note: Starting from 5.3.0 release, videos can also be stored on a file system.

A. In addition to the screen and underlying metadata, the date, time, IP address, and user is stored in the database.

A. Please refer to the ObserveIT for Workstations product information sheets.

A. ObserveIT does not have a "screen per second" value. The actual capturing is triggered by user activity. If a user clicks fast and types fast, many screenshots will be recorded. If the user types or clicks once every 10 minutes, then there will be just one screenshot every 10 minutes.

A. ObserveIT is not a keylogger application. Meaning, it will not record the actual keystrokes made by the user, but instead, the screen capture action is triggered by the keystrokes, and will record what is seen on the screen. For example, if a user opens a Word document, the opening of the document will be recorded, so will the user's scrolling through the document. But when the user types a word into the document, ObserveIT will not record or index the typed word, it will capture the screen activity (because the user's typing was a keyboard event that triggered the capture). Similarly, in places where a user needs to type in a password, the typed password is not logged by the system, but the screen capture will show the dots or stars that the user sees when looking at the screen.

A. The easiest method to deploy ObserveIT is by using the One-click Installation. During the setup process you need to simply pick the destination SQL Server name, and click install. The setup process takes less than five minutes to complete.

A. Yes, the Agent has a silent installation capability that will work well with most distribution applications including Microsoft SMS/SCCM.

A. Upgrades are installed over previous versions retaining all settings and configuration.

A. The amount of captured data can be made smaller when filtering the recorded applications (i.e. only recording specific applications). As a rule of thumb, when looking at knowledge-worker type of user sessions that last 8 hours in a day, a typical session can use between 25 MB to 30 MB of data per session.

A. We would recommend reading the ObserveIT Deployment Guide that is available in the documentation section. But generally, the answer depends on the type of work that these users are performing. Information workers typically perform less actions than knowledge workers, and even so, from our experience we found that most users usually make a just few clicks or keyboard operations per minute, unless they're performing very intensive typing tasks. This means that because idle time is trimmed, a typical user session can be composed of just a few hundreds, or maybe couple of thousand actions per session.
This number can be made smaller when filtering the recorded applications (i.e. only recording specific applications).
We would recommend to first size one typical user session, then multiply that number by the number of concurrent sessions and by the number of monitored Terminal or Citrix servers.

A. From our experience, an existing ObserveIT client with similar resources (including systems administrators, developers and consultants) is averaging 100 GB per year with a moderate level of activity. This is achieved mostly because ObserveIT captures only user interactions with the monitored servers, trimming idle time and times when no user is logged on. This information is then further compressed to save storage space.

A. There is no pre-configured limit to this number, but we do have a current installation of a 1000 monitored servers that are all being monitored by 1 Application Server and 1 Database server.

A. The maximum network utilization by Agent-to-Application server communication per session is between 15 and 30 Kb. This communication only occurs when a user is actively interacting with the server. There is also a minimal communication for health checks during idle time.

A. Yes. Since the agents use HTTP to transmit the data, configuring Firewalls to allow for that traffic is easy. In addition, the agents do not place a large overhead on the WAN traffic because of the small amount of data that is being sent.

A. Yes. You can change the Default Website port in IIS to use any unoccupied port. If you do so, you will need to use the following URL format when installing the agent: http://observeserver:newport/observeitapplicationserver.

A. Yes. In order to do that you need to obtain a digital certificate from a trusted Certification Authority (either internal or a 3rd-party commercial CA) and configure IIS on the Application server to use it. Next you need to configure the Default Website port in IIS to require SSL. The agents themselves need to be configured to use HTTPS instead of HTTP.

A. While all data is communicated to the Application Server and subsequently stored on the Database Server, the Agent does have the ability to store a cache of captured information on the local hard drive in case there is a communication failure with the application server (caused by network latency or disconnection of links and so on). The amount of data stored in the local cache is configurable via the server configuration policy, and can be disabled altogether.

A. The ObserveIT Agent installation utilizes approximately 10 MB of disk space.

A. The ObserveIT Agent utilizes approximately 1% to 5% CPU usage, but only while the user is actively interacting with the system. During idle time, which usually comprises of approximately 95% of the session time, there is no CPU usage impact on the monitored server.

A. The ObserveIT Agent utilizes approximately 10MB of memory.

A. The ObserveIT Agent is protected by a watchdog mechanism that restarts the Agent in case the process is ended, and sends an alert to the Application Server. The health check system continually monitors all components and verifies that they are communicating properly. In case a user stops the watchdog process, it is re-started by the ObserveIT Agent. If a malicious user manages to stop both at the same time, the ObserveIT health check system will alert the administrator that an Agent is no longer recording, which might give clear indication that someone has deliberately stopped the agent.

A. The ObserveIT health check system monitors each agent, as well as the Application and Database Servers to verify that all components are functioning and communicating properly. In case of a malfunction with the agent, the administrator can be alerted.

A. Yes, in case this happens during an active session. For example, if someone has managed to stop the agent, or in case the server went offline. You will need to configure SMTP and add an e-mail address to the Web Console administrator and enable the "Alert" option. In addition, custom scripts can be created by experienced administrators to remotely poll a server's running processes and alert them in case the ObserveIT Agent has stopped.

A. A centralized error log is accessible through the ObserveIT Web Console. The information within it can be exported and sent to ObserveIT's Technical Support for troubleshooting assistance.

A. ObserveIT is designed for minimal maintenance and management, but should be included in disaster recovery and business continuity operations.

A. Because ObserveIT is based on MS SQL Server architecture, standard database practices are available for archiving and maintaining data.

A. The installer runs a script that creates the databases, you will need at least a "Database Creators" privileges. This user is only needed during the installation process; it is not used afterwards in any way. Additionally you can run the SQL setup separately by running the SQL packager setup located in the DB directory in the setup folder. Another way is to copy the databases (detach and attach) from you dev/qa servers to the database production server.

A. Yes. Because the ObserveIT Application Server is a stateless web application, you can use hardware or software network load balancing, or create additional DNS records (Round Robin) that point to alternate Application servers.

A. All the data captured by ObserveIT along with the configuration data is stored within a Microsoft SQL database. By utilizing your existing backup solutions you can easily backup your SQL server, and thus protect your ObserveIT data and configuration.

A. Windows Server 2008 has introduced several significant changes in Internet Information Services (IIS). These changes require some manual modification of the IIS settings. In order to install ObserveIT server-side components on a Windows Server 2008-based computer you must follow the instructions found in the following document: Installing ObserveIT on windows server 2008 system

A. The installation of the ObserveIT Agent on a Windows Server 2008-based computer is identical to installing it on Windows Server 2008. However, if the ObserveIT server-side components were also installed on a Windows Server 2008-based computer, the installation of the Agent might fail. This is because Windows Server 2008 has introduced several significant changes in Internet Information Services (IIS). These changes require some manual modification of the IIS settings. Therefore, in order to install ObserveIT Agent on a Windows Server 2008-based computer you must follow the instructions found in the following document: Installing ObserveIT on windows server 2008 system

A. ObserveIT has an easy-to-use Web Management Console that provides a familiar and intuitive interface to all ObserveIT configuration and administration tasks.

A. The Agents periodically poll the Application Server for configuration changes made in the through the web console.

A. ObserveIT has role based administration that limits and controls access to functionality and content in the web console. For example, a DBA can be granted access to only view videos of sessions on a SQL Server while being restricted from access to those from Exchange or Active Directory servers.

A. Yes, each time a video is accessed a log is created with the user, IP, capture session and frames viewed. This allows the auditing of the administrators that have accessed the Web Console and who have replied videos, and prevents the need to design an external audit mechanism that will audit the auditor.