Agent Administration 

EventLog Analyzer provides an optional agent which can collect event logs from Windows machines.


How agent-based log collection works: A Prerequisite

The application uses the web server port 8400 (default) in http/https for two-way communications between the Agent server and the EventLog Analyzer server. So bidirectional communication should be enabled for port 8400 in the EventLog Analyzer Server.


Note: Agentless log collection is incorporated in EventLog Analyzer architecture. Collecting Windows event logs with agents is added to facilitate easy log collection across WAN and through the firewall. Using an agent to collect logs is optional, whilst the default log collection mechanism is agentless using WMI/DCOM. The optional agent will be useful for companies which have the security policy that disallows WMI/DCOM mode of communication with Windows machines.

How to install EventLog Analyzer agent?

To install an agent, use the following menu option:

To install the agent, follow the steps given below:

  1. Enter the machine name(s) in which the agent should be installed. If you choose to enter multiple machine names, separate them by a comma.
    Tip: You can also copy the comma separated machine names from a text file and paste in this field.

  2. Alternatively, use the Pick Devices link to select one or multiple machines from the Windows workgroups and domains to install the agents in those machines.

  3. The Domain Name field is optional. Enter the domain name of the machines, if you choose to. Pick Devices menu will automatically fill this field, otherwise.

  4. Enter the login name and password to access the machine(s) and install the agent(s). This login account should have admin privileges to install the agent.

  5. Use the Verify Login link to validate the credentials. If multiple devices are selected, ensure that the credentials are valid for all the devices.

  6. Click Install button to install the agent(s).

Agent Installation via GPO


Note:  Before starting, place the following files in a network-­‐shared folder of the server:       

•   InstallEventLogAgent.vbs     

•   EventLogAgent.msi     

The files are available in the following paths:    

Best Practice: Create a group and add all the computers in which you want to install the agent software. Then, create a GPO and apply it to this group.    


Follow the steps below in the same sequence for a successful installation.


Step  1: Create a GPO and name it as shown below:    

            a.   For Windows Server 2003    

i.  Open Active Directory users and computers console.    

 ii.  Right-­‐click the parent container of all the computer objects(which are added to a group as said in the ‘Best Practice’ section above) and select Properties.




iii.  In the Properties dialog box, select Group Policy tab and then click on New to create a Group Policy Object.    




           For Windows 2008 Server and Later    


            1.   Open Group Policy Management console.    

            2.   In the left pane, right click on the Group Policy Objects container and select New.  



           3. Give  a descriptive name to the GPO and then click Ok.    


              Step 2: Configure Script Settings    


           1. Now, right click the Group Policy Object that you have just created and click Edit to open the GPO  Editor



 2. In the right pane of the GPO editor, double click on Computer Configuration -­‐>Windows Settings -­‐>Scripts                                        (Startup/Shutdown)-­‐>Startup.    

                    For Windows Server 2008 and later, ComputeConfiguration -­‐Policies  -­‐Windows Settings -­‐Scripts                                                                            (Startup/Shutdown) -­‐Startup    



     3Right click on Startup and select Properties.    

         1.    In the StartuPropertiedialog box, click Add.    

                  2.    In the Add Script dialog box, do the following:   

                         i. Click Browse option corresponding to the Script Name field and select InstallEventLog.vbs script.                              

                         ii. In the Script Parameters field, enter the parameters as specified below and then click Ok.    





Script  Parameters    

       /MSIPATH:"< share  path of msi file>" /SERVERNAME:" <ELA    installed    Server    Name>" /SERVERDBTYPE:"< DataBase of Server>"                      /SERVERIPADDRESS:" <Ip Address of Server>" /SERVERPORT: "<Port Occupied by server>"
       /SERVERPROTOCOL:" <Protocol (http/https)>"  /SERVERVERSION:"<ELA VERSION>"    

/SERVERINSTDIR:"<ELA Installed Directory>"    



/MSIPATH:"\\admin\EventLog\lib\native\EventLogAgent.msi" /SERVERNAME:"vivek-­‐2122"    


/SERVERPROTOCOL:"http"  /SERVERVERSION:"10072"    /SERVERINSTDIR:"C:\\ManageEngine\\EventLog\\"      


       3. Now you will be back to the Startup Properties dialog box. Click Apply first and then click on Ok to complete the procedure.    


     Step 3: Configuring Administrative Template Settings

     Once you have completed the above-­‐mentioned steps, configure the Administrative Template Settings’  as  specified in the below steps.    


     1. On the left pane of GPO Editor window, go to Computer Configuration -­‐>Administrator    Templates -­‐>System    

     2. Under System, configure the following settings. 

           a. Scripts  

         i. In the right pane of the GPO editor, double-­‐click Run logon scripts synchronously and Enable it. Click on Apply and then Ok.  




             ii. Double click Maximum wait time for Group policy scripts, and Enable it. Now click on Apply and then OK.    



              b.    Logon

                     Double  click on Always wait for the network at startup and logon and Enablit. Now click on Apply and then OK.    



             c.    Group  Policy 

                    Double  click Group Policy slow link detection and Enable it. Click on Apply and then OK.  




             Step 4: Applying the GPO


             Once the Administrative Template Settings are configured, apply the GPO to the desired computers in the network. 


              1. On the left pane of the GPO editor, right click on the GPO that you are working on (GPO list is available on the top left                     corner of the GPO editor) and select properties. 

              2. Click the security tab in the properties dialog box. 

                  Note: In the Security tab, remember to uncheck 'Apply Group Policy'  permission for 'Authenticated Users'                       before proceeding further. 




               3. Now, click on Add to open the Select Users, Computers or Groups dialog box. There, click Object Types                   button and make sure that Groups is checked, and then click OK.    

             4. Enter the name of the group that has all the computers in which EventLog Analyzer is to be installed and then click on                  Check Names.

                 Highlight the desired group and then click OK to return to the security tab.



             5. The group will now be added to the list of group or usernames under the Security tab. 

             6. With the newly added group highlighted, apply the following permissions:

                  a. Read -> Allow

                  b. Apply Group Policy -> Allow

                  Click Apply and then click OK.




                  7. Reboot the computers to apply the GPO and wait till the Reset Password / Unlock Account link appears on the Windows logon screen.



To applGPO directltcomputers:    

In case you prefer to apply the GPO  directly to computers instead of the group, please follow the below steps:    

      a. Follow the steps 1 and 2 in the above section.    

      b. Click Object Types button and make sure that the computer is checked. Click OK.  

    c. Use the Check Names button to find the required computers. Select the desired computers and then click on Ok to return    to the Security Tab
      d. Set Read and Apply Group Policy permissions Allow for every computer that you just added. 
     Note: After performing all these steps, remember to uncheck Apply Group Policypermission for Authenticated Users.  

      e. Restart all the client machines    

How to Edit, Delete, Stop, Start the agent? 

The Edit/ Delete / Stop/ Start menu will take you to the Agent Administration page, where all the installed agents are listed.

Edit, Delete Agent

  1. Use the expand (+), collapse (-) icons to view the device machines added to the individual agent

  2. Use the Edit icon to edit the agent

  3. Use the Delete icon to delete the agent

  4. If the agent service is running, use the Stop link to stop the agent and Restart link to start the agent

  5. Add or remove device machine(s) to/from the agent using Add, Remove menu links.
    ​If the agent installation has failed, this column will instruct you to download the agent and install it manually.

  6. Download EventLogAgent.msi into the Agent device machine and install it manually.

Agent Administration

In the Agent Administration page, all the installed agents are displayed with stop/start option, edit option, delete option, the name of the agent, the status of the agent, and the IP address of the agent machine.

Get download link