Monitoring Legacy ITM On-Prem (ObserveIT) Log Files

ITM On-Prem (ObserveIT) creates textual log files for recording all activity as it happens on the monitored endpoints. These log files, which are stored on the server's hard disk, contain important metadata information, such as the date and time of user sessions, endpoint name, user name, application window titles, Unix commands, and executable names. In addition, the log files include image URLs for each recorded user session.

ITM On-Prem (ObserveIT) textual log files are no longer updated from version 7.7. See ITM On-Prem (ObserveIT) Data Integration for information about how to build integrations.

ITM On-Prem (ObserveIT) creates separate log files for all the monitored data types. Each type of log data is stored in its own folder, as follows:

  1. Windows and Unix Activity: All monitored Windows-based and Unix-based server activities are stored in the \cmyyyymmdd.log file under Directory 3.

  2. Activity Alerts: Monitored activity alerts in the system are stored in the Alyyyymmdd.log file under the Alerts directory (C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Alerts)

  3. System Events: Monitored events in the system are stored in the Evyyyymmdd.log file under the Events directory.

  4. In-App Elements: Monitored In-App element metadata is stored in the Inappyyyymmdd.log file under the Inapp directory.

  5. Windows Activity: Monitored Windows-based server activities are stored in the exyyyymmdd.log file under Directory 1.

  6. Unix Activity: Monitored Unix-based server activities are stored in the unyyyymmdd.log file under Directory 1.

  7. User Logins: Monitored user logins to all the servers are stored in the exyyyymmdd.log file under directory 2.

  8. The following log files are stored in the Audit directory: C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles\Audit:

Sessionsyyyymmdd.log: Monitors session auditing activities.

Loginsyyyymmdd.log: Monitors login auditing activities.

Confyyyymmdd.log: Monitors configuration changes auditing activities.

The log file monitors user logins to all the endpoints. This file, named exyyyymmdd.log, is located under Directory 2.

By default, the monitor log files are saved to: C:\Program Files (x86)\ObserveIT\NotificationService\LogFiles. The user account used by the ITM On-Prem (ObserveIT) Notification Service must have read and write permissions for the specified location.

When changing the default log folder location, new session data will be stored in the new path; existing data will remain in the old location.

Activating the Monitoring of ITM On-Prem (ObserveIT) Log Files

To activate ITM On-Prem (ObserveIT) logging

  1. Navigate to Configuration > Integrated SIEM, and click the ObserveIT Logs tab.

  2. Select the Enable ObserveIT logging check box.

    By default, the monitoring of logs is disabled. You cannot enable both ITM On-Prem (ObserveIT) logging and SIEM logging simultaneously, since this might cause serious performance issues.

  3. In the Log data section, select the types of data you want to monitor:

    • Windows and Unix Activity

    • Activity Alerts

    • System Events

    • In-App Elements

    • Windows Activity

    • Unix Activity

    • User Logins

    • Audit

    • Audit Sessions

    • Audit Logins

    • Audit Configuration Changes

  4. In the Folder location field, accept the default location or specify a new path to the monitor log files.

  5. Click Save to save the settings.

    After a few minutes, the log files will be generated. Each day new log files are created.

Note the following:

  • Currently, there is no automatic mechanism to delete older log files; you must manually and periodically delete them when they are no longer current. However, you can schedule an automated script that will delete them for you automatically.

  • Log files have no operational dependency on the functionality of ObserveIT; therefore, you can delete older log files without losing any information.

To disable the monitoring of the log files

  • Clear the Enable ObserveIT logging check box, and click Save.