Record and Audit Terminal, Citrix and RDP Session – ObserveIT Product Overview
In this article I would like to use the opportunity to tell you a bit about ObserveIT – A company which I have recently began working for (read more about my new job at my “My new job – VP Technologies for ObserveIT – Enterprise Scale Window Server Session Recording” article).
ObserveIT is a software solution that is designed from the ground up to be deployed in multi-server enterprise environments and provides visibility into all user activity such as Microsoft Terminal Services, Citrix (ICA) – including published applications, Remote Desktop (RDP), PC-Anywhere, VNC and NetOP.
This way, whether you need to record remote vendor support activities performed through Terminal or Citrix Sessions, or if you suspect that one of your users or administrators made a change on one of the applications that are installed on one of your servers (and I’m talking about ANY application), you can easily perform a search or generate a report of all user activities performed within all remote terminal sessions or console access to your server during the previous X hours/days, and easily see in a step by step window session replay what where the actions that were performed on the server.
What is unique about ObserveIT?
ObserveIT is the only software based solution that:
- Record all remote access software, including: Citrix, Terminal Services, NetOp, VNC etc
- Advanced searching & Reporting – Search for any activity within recorded terminal, Citrix and console sessions
- Audit Session Replays – Audit Any session playback, including the actual frames viewed
- Metadata –Textual Metadata displays exactly what occurred within a recorded terminal, Citrix and console session without the need to replay the actual session
It’s worth noting that other software act like a “surveillance camera” producing a “Dummy” recording that requires replaying of sessions from start till end. With ObserveIT that is not the case, as you’ll soon see.
Metadata is indexed
Unlike protocol based (RDP, ICA) recording solutions that produce a “Dummy” recording that requires replaying of sessions from start till end, ObserveIT records at the system level. ObserveIT indexes all the captured information along with detailed metadata about the activity that is going on inside the session. This detailed information allows easy textual searches through the database, and makes the process of looking through the recorded sessions much easier.
You do not need to fast forward an 8 hour long video just to see that someone clicked on a wrong check-box and applied the settings, thus causing your server to perform poorly. All you need to do is to look at the textual metadata of a recorded window session, see what applications or even property pages have been accessed on the server during that period of time, and simply click on the appropriate event entry. Clicking on the action will bring you to the exact point in time of the captured video, allowing you to see exactly what that user did, and what he did right before and after that point.
Just imagine the possibilities: One of your Exchange servers begins to act strangely. Out of the many reasons for this performance issue, one of the reasons could be human action/error. You open the management tool, do a search of who touched the server either locally or via Terminal’RDP. You see it was Chris, one of your junior messaging administrators. Now, instead of having to watch a long video of his session, you see a full text description of what he did, you notice that he enabled XYZ on the server. You click on the video icon, and are taken to that point in time. You notice Chris logged off, leaving the XYZ setting running, either on purpose or by mistake, so within 2 minutes you found the reason for the performance issue, saving you a lot of time and money.
Free text search
You can use keyword phrases to search for any metadata collected during recording of terminal or local sessions. For example you can search for a file named “web.config” to find out whether is was accessed previously, who accessed it and whether it was modified.
Enterprise-wide context searches
Even more so, you can easily search for all the similar actions that the user performed across your entire enterprise, because you may rightfully assume that if he did it once, he might have done it again elsewhere. This feature allows you to be sure he did not do it, and if he did, you can easily find out about it BEFORE your servers go down due to this misconfiguration. All you need to do is to go to the same application you were on, press F12 on your keyboard, and you receive an enterprise-wide search of all the users/administrators or vendors that accessed through terminal/RDP or console the same application and were on the same screen as you. This can be drilled down to the property tab level, eliminating many irrelevant results from being shown in the search result.
Going back to my previous example, after finding out that Chris made a wrong configuration on one of the Exchange servers, you now want to see perhaps he did the same, either on purpose or by mistake, to any other server in your enterprise. So you do a search, and bingo, you notice that Chris did exactly the same thing on 12 different servers during the last month. You call Chris for a long talk. You save money on expensive troubleshooting with just one click of the mouse.
ObserveIT dramatically reduces mean time to repair and increases server uptime. No more endless log file browsing. No more finger-pointing among IT, applications groups and 3rd party providers.
Sticky Notes Annotations
Another cool feature of the software is that it allows you to post a “sticky note” that will pop out and warn the user/admin BEFORE they click on that wrong checkbox. While it will not prevent them from actually doing it (you should use permissions to prevent users from messing with your systems), it will notify them before they press on that button or click on that checkbox, and thus help you to further prevent human errors.
All you have to do is to go to the same application on which you need to sticky note to appear, then press F11 on your keyboard. This will allow you to enter the note’s text. Anytime after, whenever someone accesses the same application or property sheet, they will be displayed with the pop-up note.
Policy-Based, Event-Driven Recording
ObserveIT allows you to create recording policies per servers or per server groups. Such policies define the recording resolution and rate, and also configure whether to capture all the actions and all the applications on a server or server group, just a subset of applications, or all applications except a subset of other applications. In this manner, you can configure one server with the right recording policy – for example – record only MMC-based snap-ins and nothing else, or record anything that a user does which is not related to the CRM application they’re running as part of their daily job. You can then apply this setting to other servers or even to groups of servers. This policy can also be configured to only record one user, a group of users, or all the users accessing the server.
Integrating with Monitoring Tools
By Integrating ObserveIT with management tools such as Microsoft MOM, ObserveIT makes it easy for you to replay recorded activity at time of failure, directly from within your existing network and security management environment. Any system alert provided by monitoring tools are automatically enriched with video session replay showing any user actions that took place on the server in question, or at the time in question, or even those that used a particular resource in question.
ObserveIT provides ongoing risk management and regulatory compliance with full documentation of all user sessions. By eliminating any doubt of what is happening in your server environments, and by tying each activity to a specific user, your compliance records gain a new level of reliability. This compliance strength is provided automatically, according to any policy rules desired.
With ObserveIT’s total application coverage and policy-based recording, Compliance Enforcement enjoys total visibility and control of remote access. No matter who the users are – vendors, consultants, offshore and internal development teams – you are assured of effective controls and a thorough audit trail. ObserveIT provides a unified view of all server access, meeting internal and external compliance requirements for HIPPA, Gramm-Leach Bliley, Sarbanes-Oxley, US Patriot Act, SEC rules 17a-3 & 17a-4 and NASD rules 3010/3013.
Database size and CPU overhead
One of the most frequent questions we’re getting is “How much resource does the agent consume and how large will the database be?”. The answer to this might surprise you:
By looking at existing deployments in some of our larger clients, CPU overhead is anywhere between 1% and 5% per recorded session (CPU is only consumed when there’s user interaction, and not during idle time which is approximately 95% of the time the server is running) . This overhead can be further mitigated by configuring the recording compression to happen on the application server and not on the server where the agent is installed.
As for the database size, it depends on the length of history and resolution you’re using. One of our clients is capturing 1000 servers and a year’s long history has resulted in a smaller than 50GB database size!.
ObserveIT’s architecture is made of 4 components as can be seen from the following screenshot:
- On each monitored server
- Standalone win32 exe
- Auto-initiated for each active window session
The Application Server
- Web service
- Receives data from agents
- Collects data, processes and passes to database
- MS SQL Server
- Stores recordings & metadata
The Web Console
- Web interface
- Session searching & replay
- System administration
All components can be installed on one machine, or separately, depending on the size and planning of the organization.
ObserveIT’s capabilities allow large organizations to have better control over what their users, administrators, vendors, consultants, offshore and internal development teams do when logged-in to the companies servers through Terminal (RDP), Citrix (ICA including published applications) and local window sessions. This helps to dramatically reduce troubleshooting costs, and the video replay eliminates any possible doubt regarding specific action.
So, if any of you guys are interested in learning more, or even of getting a demo set up for you wherever you guys work, contact me and I’ll set you up. Trust me, once you see it in work, you will want it!
Online demo: http://www.observeit-sys.com/ObserveIT06.htm
Established in 2006, ObserveIT Inc. focuses of developing ingeniously easy-to-operate tools that simplify the business of troubleshooting and monitoring server and workstation activity across the enterprise. Founded by System Administrators with years of IT Management experience and the frustration of user-initiated server downtime, we believe in simplicity of solutions and visibility of user activity. Our focus on simplicity and visibility represents itself not only in our product development. We also in commit to these goals in our entire business operations: Affordable pricing with simple licensing terms, fast, friendly customer support, and dedication to continually fulfilling the core requirements of our user community.
For more information: [email protected]