Unix - Linux Agent Overview

Unix - Linux Agent

The ObserveIT Unix/Linux Agent is a software component that can be installed on any supported Unix or Linux system that you want to monitor.

The Unix/Linux Agent runs in user mode and is triggered when an interactive session is created on a monitored machine (connected via SSH, Telnet, Rlogin, and so on). It records user activity inside the sessions, including interactive user activity and system functions such as OPEN, EXEC, CHMOD and others. The recorded data is sent to the ITM On-Prem (ObserveIT) Application Server and can be replayed or searched for input commands, system functions and output data. All recorded data can be searched, reported, configured for alerts, and integrated with SIEM systems.

When a user logs-in on a Unix/Linux machine, the Agent is started and begins recording the shell actions based on a predefined data recording policy.

The diagram below shows the Unix/Linux Agent architecture.

 

The ObserveIT Unix/Linux Agent captures all the internal actions and the names of files and resources that are affected by command line operations. All output, commands and important system functions inside commands are captured and forwarded to the Agent, which sends it to the ITM On-Prem (ObserveIT) Application Server for processing and storage.

In offline mode, the ITM On-Prem Agent (ObserveIT Agent) allows local storage of the recorded data in the event of network malfunction or disconnection. When network connectivity is re-established, the ObserveIT Service transmits the locally cached data back to the Application Server. To prevent the local disk from reaching its full capacity, the volume of local data cache is limited per offline session.

Attempting to stop the recording process will terminate the user session, preventing any further user activity from not being recorded.