ObserveIT Data Storage

ObserveIT stores video and text logs in a compact SQL or file system database format. User activity logs provide a searchable, human readable, audit trail of all activity that can be integrated with existing SIEM security solutions.

This topic provides an overview of ObserveIT storage. It describes:

How ObserveIT stores data using Microsoft SQL Server databases.
How ObserveIT stores image data using the file-system.
How metadata is stored.
How to secure stored ObserveIT data.
How to maintain screen capture data privacy.
How ObserveIT log data can be integrated with SIEM systems.

Database Storage

SQL Server databases store configuration data, user analytics data, textual audit metadata and optionally (unless the file-system is used) screenshots captured by ObserveIT Agents for video replay. To prevent data loss as the database becomes full, ObserveIT enables you to configure additional storage space. You can configure a threshold (as a percentage of allocated disk space) specifying the maximum disk space that is allocated for the database. A system event is generated when the database storage threshold (%) reaches its configured limit, alerting you to configure additional storage space by updating the specified threshold or by running the archive process. Archiving older data frees up storage for more recent data.

For details about configuring ObserveIT archive storage, see Archiving ObserveIT Data.

File System Storage

In large scale deployments or when the SQL Server database has performance issues, the file-system is the preferred method for storing screen capture data. Recorded screenshots can be stored either on the local hard drive of the ObserveIT Application Server, or on a file share in the network.

Visual screenshots represent the largest portion of ObserveIT’s data storage needs. For large scale deployments and/or to prevent SQL Server database performance issues, you can configure the video replay screenshots for file-system storage instead of in the SQL database, either on the local hard drive of the ObserveIT Application Server or on a file share in the network. When using file-system storage, there is still a need to maintain the MS SQL Server database, in order to store the textual metadata and the ObserveIT configuration data.

ObserveIT automatically manages the directory where you specify that screenshot data should be stored, including an auto-generated and archived subdirectory tree per date and per session.

ObserveIT enables the use of SSD-based "Hot" storage in addition to the standard "Warm" storage in order to provide faster archiving of sessions with full video recording saved in the file system.

For details, see Configuring Screenshot Storage.

Metadata Storage

In addition to visually recording user activity on monitored servers, ObserveIT records important information about what is seen on the screen, which applications are currently used, what actions the user has performed, the date and time of the action, and more. This information, which is called "metadata", is stored in ObserveIT's database, which is located on a central SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout all recorded sessions, and provide a textual breakdown of each user session.

Although ObserveIT's main feature is its ability to visually record user sessions, in some cases, ObserveIT administrators will configure ObserveIT to record only metadata about specific applications that are accessed on specific servers. While this will reduce the visual auditing experience for the user session, this recorded metadata is a very important aspect of the auditing experience and capabilities. Because this metadata describes what is seen on the screen, you can perform very powerful searches across your entire enterprise.

There are two ways to record metadata information:

Metadata only, without any graphical screenshots being recorded
Record metadata for specific applications

For more information, see Recording Metadata Information.

Securing Stored Data

Data that is stored in MS SQL Servers automatically inherit any data protection mechanisms already in place for the corporate databases. If the data integrity of the ObserveIT database storage is violated (for example, if a database administrator succeeds in deleting an incriminating screenshot from within the entire collection), ObserveIT provides a warning indicator within the Web Console. For details, see Implementing Security and Privacy.

Maintaining Screen Capture Data Privacy

For privacy, all screen capture data (whether stored in the SQL database or in the file system) can be encrypted by a synchronous Rijndael 256-bit key. To further protect this key, the key itself can be encrypted by an asynchronous 1024-bit X509 certificate (with RSA encryption key). This encryption is also inherited in any exported offline sessions.

To enable video image encryption, Image Security should be enabled. When Image Security is enabled, the ObserveIT Agents and Application Server will use a token exchange mechanism to encrypt all session data. In addition, recordings will be digitally signed by the Application Server when stored in the database. For details, see Securing Images on the Application Server.

Integrating Log Data with SIEM Systems

ObserveIT’s stored user activity data (metadata) can be integrated with third-party SIEM monitoring systems. The data can be provided in database API format, or by exporting monitor log files to an existing SIEM system in order to receive the session data and recordings. Database API log data is stored in ObserveIT’s database tables; thus, third-party systems can retrieve the exposed data directly from ObserveIT’s database.

The following topics describe how to view and configure storage settings in the Configuration > Storage page of the Web Console:

Viewing Database Information - Provides information about the current ObserveIT SQL database, session information about the SQL Servers that are recorded in the database, and identifies whether the system is using the SQL database or the file system for screen capture storage.
Configuring Screen Capture Data Storage - Describes how to set thresholds for system alerts if the database or the file system reaches its maximum allocated storage, create new file system locations for screen capture data, and view previous file system locations in order to be able to replay recorded sessions.
Viewing Endpoints Database Information - Provides details of the recorded endpoints in the database.