ITM On-Prem (ObserveIT) Data Storage

ITM On-Prem (ObserveIT) stores video and text logs in a compact SQL or file system database format. User activity logs provide a searchable, human readable, audit trail of all activity that can be integrated with existing SIEM security solutions.

This topic provides an overview of ITM On-Prem (ObserveIT) storage. It describes:

  • How ITM On-Prem (ObserveIT) stores data using Microsoft SQL Server databases.

  • How ITM On-Prem (ObserveIT) stores image data using the file-system.

  • How metadata is stored.

  • How to secure stored ITM On-Prem (ObserveIT) data.

  • How to maintain screen capture data privacy.

  • How ITM On-Prem (ObserveIT) log data can be integrated with SIEM systems.

Database Storage

SQL Server databases store configuration data, user analytics data, textual audit metadata and optionally (unless the file-system is used) screenshots captured by ITM On-Prem (ObserveIT) Agents for video replay. To prevent data loss as the database becomes full, ITM On-Prem (ObserveIT) enables you to configure additional storage space. You can configure a threshold (as a percentage of allocated disk space) specifying the maximum disk space that is allocated for the database. A system event is generated when the database storage threshold (%) reaches its configured limit, alerting you to configure additional storage space by updating the specified threshold or by running the archive process. Archiving older data frees up storage for more recent data.

For details about configuring ITM On-Prem (ObserveIT) archive storage, see Archiving ITM On-Prem (ObserveIT) Data.

File System Storage

In large scale deployments or when the SQL Server database has performance issues, the file-system is the preferred method for storing screen capture data. Recorded screenshots can be stored either on the local hard drive of the ITM On-Prem (ObserveIT) Application Server, or on a file share in the network.

Visual screenshots represent the largest portion of ObserveIT’s data storage needs. For large scale deployments and/or to prevent SQL Server database performance issues, you can configure the video replay screenshots for file-system storage instead of in the SQL database, either on the local hard drive of the ITM On-Prem (ObserveIT) Application Server or on a file share in the network. When using file-system storage, there is still a need to maintain the MS SQL Server database, in order to store the textual metadata and the ITM On-Prem (ObserveIT) configuration data.

ITM On-Prem (ObserveIT) automatically manages the directory where you specify that screenshot data should be stored, including an auto-generated and archived subdirectory tree per date and per session.

ITM On-Prem (ObserveIT) enables the use of SSD-based "Hot" storage in addition to the standard "Warm" storage in order to provide faster archiving of sessions with full video recording saved in the file system.

For details, see Configuring Screenshot Storage.

Metadata Storage

In addition to visually recording user activity on monitored servers, ITM On-Prem (ObserveIT) records important information about what is seen on the screen, which applications are currently used, what actions the user has performed, the date and time of the action, and more. This information, which is called "metadata", is stored in ObserveIT's database, which is located on a central SQL Server. Because metadata is centrally stored and indexed, it can be used to easily search throughout all recorded sessions, and provide a textual breakdown of each user session.

Although ObserveIT's main feature is its ability to visually record user sessions, in some cases, ITM On-Prem (ObserveIT) administrators will configure ITM On-Prem (ObserveIT) to record only metadata about specific applications that are accessed on specific servers. While this will reduce the visual auditing experience for the user session, this recorded metadata is a very important aspect of the auditing experience and capabilities. Because this metadata describes what is seen on the screen, you can perform very powerful searches across your entire enterprise.

There are two ways to record metadata information:

  • Metadata only, without any graphical screenshots being recorded

  • Record metadata for specific applications

For more information, see Recording Metadata Information.

Securing Stored Data

Data that is stored in MS SQL Servers automatically inherit any data protection mechanisms already in place for the corporate databases. If the data integrity of the ITM On-Prem (ObserveIT) Database storage is violated (for example, if a database administrator succeeds in deleting an incriminating screenshot from within the entire collection), ITM On-Prem (ObserveIT) provides a warning indicator within the Web Console. For details, see Implementing Security and Privacy.

Maintaining Screen Capture Data Privacy

For privacy, all screen capture data (whether stored in the SQL database or in the file system) can be encrypted by a synchronous Rijndael 256-bit key. To further protect this key, the key itself can be encrypted by an asynchronous 1024-bit X509 certificate (with RSA encryption key). This encryption is also inherited in any exported offline sessions.

To enable video image encryption, Image Security should be enabled. When Image Security is enabled, the ITM On-Prem (ObserveIT) Agents and Application Server will use a token exchange mechanism to encrypt all session data. In addition, recordings will be digitally signed by the Application Server when stored in the database. For details, see Securing Images on the Application Server.

Integrating Log Data with SIEM Systems

ObserveIT’s stored user activity data (metadata) can be integrated with third-party SIEM monitoring systems. The data can be provided in database API format, or by exporting monitor log files to an existing SIEM system in order to receive the session data and recordings. Database API log data is stored in ObserveIT’s database tables; thus, third-party systems can retrieve the exposed data directly from ObserveIT’s database.

The following topics describe how to view and configure storage settings in the Configuration > Storage page of the Web Console:

  • Viewing Database Information - Provides information about the current ITM On-Prem (ObserveIT) SQL database, session information about the SQL Servers that are recorded in the database, and identifies whether the system is using the SQL database or the file system for screen capture storage.

  • Configuring Screen Capture Data Storage - Describes how to set thresholds for system alerts if the database or the file system reaches its maximum allocated storage, create new file system locations for screen capture data, and view previous file system locations in order to be able to replay recorded sessions.

  • Viewing Endpoints Database Information - Provides details of the recorded endpoints in the database.