EventLog Analyzer provides an optional agent which can collect event logs from Windows machines.
How agent-based log collection works: A Prerequisite
The application uses the web server port 8400 (default) in http/https for two-way communications between the Agent server and the EventLog Analyzer server. So bidirectional communication should be enabled for port 8400 in the EventLog Analyzer Server.
Note: Agentless log collection is incorporated in EventLog Analyzer architecture. Collecting Windows event logs with agents is added to facilitate easy log collection across WAN and through the firewall. Using an agent to collect logs is optional, whilst the default log collection mechanism is agentless using WMI/DCOM. The optional agent will be useful for companies which have the security policy that disallows WMI/DCOM mode of communication with Windows machines.
How to install EventLog Analyzer agent?
To install an agent, use the following menu option:
- Settings tab > Admin Settings > Manage Agents > Install
To install the agent, follow the steps given below:
Enter the machine name(s) in which the agent should be installed. If you choose to enter multiple machine names, separate them by a comma.
Tip: You can also copy the comma separated machine names from a text file and paste in this field.
Alternatively, use the Pick Devices link to select one or multiple machines from the Windows workgroups and domains to install the agents in those machines.
The Domain Name field is optional. Enter the domain name of the machines, if you choose to. Pick Devices menu will automatically fill this field, otherwise.
Enter the login name and password to access the machine(s) and install the agent(s). This login account should have admin privileges to install the agent.
Use the Verify Login link to validate the credentials. If multiple devices are selected, ensure that the credentials are valid for all the devices.
Click Install button to install the agent(s).
Agent Installation via GPO
Note: Before starting, place the following files in a network-‐shared folder of the server:
The files are available in the following paths:
- InstallEventLogAgent.vbs - <Installation Directory>\ManageEngine\EventLog Analyzer\tools\scripts
- EventLogAgent.msi - C:\ManageEngine\EventLog\lib\native
Best Practice: Create a group and add all the computers in which you want to install the agent software. Then, create a GPO and apply it to this group.
Follow the steps below in the same sequence for a successful installation.
Step 1: Create a GPO and name it as shown below:
a. For Windows Server 2003
i. Open Active Directory users and computers console.
ii. Right-‐click the parent container of all the computer objects(which are added to a group as said in the ‘Best Practice’ section above) and select Properties.
iii. In the Properties dialog box, select Group Policy tab and then click on New to create a Group Policy Object.
For Windows 2008 Server and Later
1. Open Group Policy Management console.
2. In the left pane, right click on the Group Policy Objects container and select New.
3. Give a descriptive name to the GPO and then click Ok.
Step 2: Configure Script Settings
1. Now, right click the Group Policy Object that you have just created and click Edit to open the GPO Editor.
2. In the right pane of the GPO editor, double click on Computer Configuration -‐>Windows Settings -‐>Scripts (Startup/Shutdown)-‐>Startup.
For Windows Server 2008 and later, Computer Configuration -‐> Policies -‐> Windows Settings -‐> Scripts (Startup/Shutdown) -‐> Startup
3. Right click on Startup and select Properties.
1. In the Startup Properties dialog box, click Add.
2. In the Add Script
dialog box, do the following:
i. Click Browse option corresponding to the Script Name field and select InstallEventLog.vbs script.
ii. In the Script Parameters field, enter the parameters as specified below and then click Ok.
/MSIPATH:"< share path of msi file>" /SERVERNAME:" <ELA installed Server Name>" /SERVERDBTYPE:"< DataBase of Server>" /SERVERIPADDRESS:" <Ip Address of Server>" /SERVERPORT: "<Port Occupied by server>"
/SERVERPROTOCOL:" <Protocol (http/https)>" /SERVERVERSION:"<ELA VERSION>"
/SERVERINSTDIR:"<ELA Installed Directory>"
/SERVERDBTYPE:"postgres" /SERVERIPADDRESS:"192.168.209.83" /SERVERPORT:"8400"
/SERVERPROTOCOL:"http" /SERVERVERSION:"10072" /SERVERINSTDIR:"C:\\ManageEngine\\EventLog\\"
3. Now you will be back to the Startup Properties dialog box. Click Apply first and then click on Ok to complete the procedure.
Step 3: Configuring Administrative Template Settings
Once you have completed the above-‐mentioned steps, configure the ‘Administrative Template Settings’ as specified in the below steps.
1. On the left pane of GPO Editor window, go to Computer Configuration -‐>Administrator Templates -‐>System
2. Under System, configure the following settings.
i. In the right pane of the GPO editor, double-‐click Run logon scripts synchronously and Enable it. Click on Apply and then Ok.
ii. Double click Maximum wait time for Group policy scripts, and Enable it. Now click on Apply and then OK.
Double click on Always wait for the network at startup and logon and Enable it. Now click on Apply and then OK.
c. Group Policy
Double click Group Policy slow link detection and Enable it. Click on Apply and then OK.
Step 4: Applying the GPO
Once the Administrative Template Settings are configured, apply the GPO to the desired computers in the network.
1. On the left pane of the GPO editor, right click on the GPO that you are working on (GPO list is available on the top left corner of the GPO editor) and select properties.
2. Click the security tab in the properties dialog box.
Note: In the Security tab, remember to uncheck 'Apply Group Policy' permission for 'Authenticated Users' before proceeding further.
3. Now, click on Add to open the Select Users, Computers or Groups dialog box. There, click Object Types button and make sure that Groups is checked, and then click OK.
4. Enter the name of the group that has all the computers in which EventLog Analyzer is to be installed and then click on Check Names.
Highlight the desired group and then click OK to return to the security tab.
5. The group will now be added to the list of group or usernames under the Security tab.
6. With the newly added group highlighted, apply the following permissions:
a. Read -> Allow
b. Apply Group Policy -> Allow
Click Apply and then click OK.
7. Reboot the computers to apply the GPO and wait till the Reset Password / Unlock Account link appears on the Windows logon screen.
To apply GPO directly to computers:
In case you prefer to apply the GPO directly to computers instead of the group, please follow the below steps:
a. Follow the steps 1 and 2 in the above section.
b. Click Object Types button and make sure that the computer is checked. Click OK.
c. Use the Check Names button to find the required computers. Select the desired computers and then click on Ok to return to the Security Tab
d. Set Read and Apply Group Policy permissions Allow for every computer that you just added.
Note: After performing all these steps, remember to uncheck ‘Apply Group Policy’ permission for Authenticated Users.
e. Restart all the client machines
How to Edit, Delete, Stop, Start the agent?
The Edit/ Delete / Stop/ Start menu will take you to the Agent Administration page, where all the installed agents are listed.
Use the expand (+), collapse (-) icons to view the device machines added to the individual agent
Use the Edit icon to edit the agent
Use the Delete icon to delete the agent
If the agent service is running, use the Stop link to stop the agent and Restart link to start the agent
Add or remove device machine(s) to/from the agent using Add, Remove menu links.
If the agent installation has failed, this column will instruct you to download the agent and install it manually.
Download EventLogAgent.msi into the Agent device machine and install it manually.
In the Agent Administration page, all the installed agents are displayed with stop/start option, edit option, delete option, the name of the agent, the status of the agent, and the IP address of the agent machine.