Product Architecture and Components

Architecture and Components

ObserveIT is a software-based user activity monitoring and internal risk identification platform with no fixed hardware components. Software Agents running on Windows, Mac, or Unix/Linux gateways, servers or desktops capture user activity data and send it to an ITM On-Prem (ObserveIT) Application Server. The Application Server sends the relevant user activity log and screen video data to a Database Server for storage. All captured user activity data can be searched for, reported on, configured for alerts, and integrated with SIEM systems. Administrators manage the system and access user activity logs, screen video, reports and other features using the ITM On-Prem Web Console, which is served by the Application Server.

These are the components of the ObserveIT software application:

A software component that can be installed on any Windows-based operating system (server or desktop) that you want to record. The Windows Agent is a user-mode executable that binds to every user session. As soon as a user logs into a monitored server, the Agent begins recording based on the configured recording policy. The Windows Agent captures user activity data logs and, if configured, screen video.

The Updater is the component that manages the Agent upgrade. An Updater is installed on every endpoint.

The Updater continuously communicates with the Application Server so it knows when to update the endpoint according to settings you configure. The Updater is aware of the OS type, Agent version and bit processor, so it knows the correct upgrade version to download.

A software component that can be installed on any supported Unix or Linux system that you want to monitor. The Unix/Linux Agent runs in user mode and is triggered when an interactive session is created on a monitored machine (connected via SSH, Telnet, Rlogin, and so on). It records user activity inside the sessions, including interactive user activity and system functions such as OPEN, EXEC, CHMOD and others. Unix/Linux recorded data can be replayed or searched for input commands, system functions and output data.

A software component that can be installed on a Mac OSX system that you want to monitor.

The ITM On-Prem (ObserveIT) Application Server is an ASP.NET application that runs on a Windows Server-based computer (physical server or VM) in the context of Microsoft Internet Information Server (IIS).

Recorded data is sent by the Agents to the Application Server, which stores it in the SQL Server databases, and file system shared folders. Windows-based operating system recorded data is divided into 2 sections: the metadata (approx. 30% of the total storage size) and the graphical images (approx. 70% of the total storage size). Unix\Linux-based operating system recordings are 100% metadata.

The Application Server also maintains recording policies and other configuration data, actively communicates with Agents to deliver configuration updates and to monitor system health, handles data maintenance/archiving, and generates reports.

The ITM On-Prem Web Console is an ASP.NET application that runs in the context of Microsoft Internet Information Server (IIS).

It is the primary interface for audit review, video replay, and reporting, as well as for configuring and administering ObserveIT. All configuration information is stored in the ITM On-Prem (ObserveIT) Database Server. The Web Console includes granular policy rules for limiting access to sensitive data.

In most cases, the ITM On-Prem Web Console component is installed on the same computer as the ITM On-Prem (ObserveIT) Application Server (or one of them if there are multiple Application Servers).

By default, ObserveIT uses Microsoft SQL Server databases for data storage. This storage includes user activity configuration data, user analytics data, textual audit metadata and possibly the screenshots captured by the ObserveIT Agents for video replay.

ObserveIT can also be configured to store the video replay screenshots in file system storage instead of in the SQL database, either on the local hard drive of the ITM On-Prem (ObserveIT) Application Server, or on a file share in the network. In these cases, the MS SQL Server database is still used for storing user activity log and configuration data. Windows and Mac-based operating systems store approx. 20% of the total recorded data on SQL Server. The rest, approximately 80% of the total recorded data is stored on a file share. Unix\Linux-based operating system store 100% of the recorded data on SQL Server. Connectivity with the database is on standard TCP port 1433.

Required for medium to large deployments.

In medium and large scale deployments or when the SQL Server database has performance issues, the file-system is the preferred method for storing screen capture data. Recorded screenshots can be stored on a file share in the network.

This is software or hardware-based and only required when there is more than one Application Server and in medium to large deployments.

Each of the three server applications can be installed on a single platform or multiple platforms.

The flow of activity and communication between the components is as follows:

  1. Each monitored desktop or server runs the ITM On-Prem Agent (ObserveIT Agent) which is installed locally on the computer.

  2. The Agent captures information about user activity, secures it, and sends it to the Application Server.

  3. If there is more than one Application Server, they should be load balanced by using either a software or hardware-based device. In that case the Agents will communicate with the load balancer’s virtual IP (VIP).

  4. The Application Server analyzes and compresses received data, then it stores it by splitting the textual data in the SQL Server database, and graphic images on the file share.

  5. An administrator can connect to the Web Console Web-based interface using a web browser, and search for, replay, run reports and inspect alerts based on the captured user activity.

  6. Any component of the data transfer or data storage process can be encrypted, if needed.

ObserveIT Architecture

The diagram illustrates the product architecture and flow of communication between the components.

For diagrams and details of the product architecture see Installation architectures.