Recording Metadata Information
In addition to visually recording user actions on monitored endpoints, ITM On-Prem (ObserveIT) records important information about what is seen on the screen, which applications are currently used, what actions the user has performed, the date and time of the action, and more. This information, which is called "metadata", is stored in ObserveIT's database, which is located on a central SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout recorded sessions, and provide a textual breakdown of each user session.
Although ObserveIT's main feature is its ability to visually record user sessions, in some cases, ITM On-Prem (ObserveIT) administrators will configure ITM On-Prem (ObserveIT) to record only metadata about specific applications that are accessed on specific endpoints. While this will reduce the visual auditing experience for the user session, this recorded metadata is a very important aspect of the auditing experience and capabilities. Because this metadata describes what is seen on the screen, you can perform very powerful searches across your entire enterprise. Although no visual trace will be available when selecting this option, it will still provide far more auditing capabilities than when compared to a endpoint on which no ITM On-Prem (ObserveIT) Agent is installed.
There are two ways to record metadata information:
-
Metadata only, without any graphical screenshots being recorded
-
Record metadata for specific applications
Record Metadata Only
To record metadata only without any graphical screenshots, you must use the Default Metadata Only Policy, a preconfigured policy that records only metadata. By default, this policy is not linked to any endpoint. If you link the policy to one or more endpoints, these endpoints will only record metadata information.
Record Metadata for Specific Applications
You can create a new Recording Policy that excludes specific applications, or edit an existing recording policy to match your needs. You can also manually edit a specific endpoint's configuration.
By default, ObserveIT's Default Configuration Template is configured to record all applications AND the associated metadata. Therefore, in a default configuration scenario, there is no need to make any changes in order to record the metadata information.
For example, you might decide that, in a particular scenario, you only want to record these administrative-related applications:
-
CMD.exe
-
Notepad.exe
-
MMC.exe
-
Regedit.exe
-
Mstsc.exe
To do this, you should change either the specific endpoint's configuration policy or the Server Configuration Policy that affects the endpoint. In the Application Recording Policy section of the Server Configuration Policy (see Application Recording Policy), select the Record only the following applications option. Then, using the Applications drop-down list, add the specific applications from the above list. After making the changes, the relevant screen section should look like:
Be sure to click Save when you have finished configuring the recording settings. Read the warning message, and if you're satisfied with your changes, click OK. Click Cancel to discard your changes.
As noted above in the first option, for other scenarios you can configure the Record Metadata Only setting to change the way the ITM On-Prem (ObserveIT) Agent records applications. By using this setting, the ITM On-Prem (OBserveIT) Agent will only record metadata for the applications accessed during a user's session. No graphic information will ever be recorded.
After making the necessary configuration changes, you will be able to replay and view the graphical recorded data for those applications, but you will only have textual metadata information for any other application that was accessed on the endpoint. These applications will be clearly identified by an icon in the Activities View of the Endpoint Diary or User Diary.
When replaying a "metadata-only" session or a session that includes "metadata-only" applications, the Session Player will display a screenshot with a white background and text indicating that it is an ITM On-Prem (ObserveIT) Metadata-Only Policy; the metadata itself will be listed in the User Activities List alongside.