View All Results

# What is the Logentries Windows Agent

Installing the Windows Agent allows our customers to follow logs on windows based servers or workstations as well as send system information from the machines to be displayed in the Logentries Web UI.

# What Are the Benefits of the Logentries Windows Agent?

• Allows you to send your logs to Logentries with a quick installation and registration process.
• Can be deployed silently through the command line or through a graphical interface.
• Seamlessly integrate with Datahub

# Agent Modes

The Windows Agent can be configured to operate in one of the following three modes:

• Direct: Send logs to Logentries. Available during graphic installation and silent installations.
• Syslog: Send logs via syslog to an endpoint. Use this option when configuring the agent for use with the Datahub. Available during graphic installation and silent installations.
• Local: Use local configuration file to specify log files to follow. Available only during silent installations.

# Installation of Logentries Windows Agent

The latest Windows Agent can always be found and downloaded here. Terms & Conditions can be found here.

There two primary ways to install the Logentries Windows Agent are below:

• Command Line Installation – Ideal for automating many installations. Required installation method if you wish to use the agent in local mode and control settings with a config file.
• Graphical Interface Installation – Easiest to get setup.

# Command Line Installation & Configuration

The following tools can be used to script the installation of the Windows Agent. These resources are provided with the Windows Agent zip file. Terms & Conditions can be found here.

• install.bat – When executed this batch file will prompt you through the installation of the Windows Agent. If the batch file is passed proper parameters when called it can install the Windows Agent silently.
• AgentSetup.msi – A Microsoft Software Installer file for use with the install.bat script.

### Using install.bat for silent installation

In order to perform a silent installation, you must pass the proper parameters when calling install.bat. The installation requires administrator privileges.

A basic silent installation would be as follows:

install.bat ACCOUNT_KEY=xxxx


• AGENT_MODE= Optional. The ability to set what mode the Agent will start in. Options are,
• direct (Send logs to Logentries)
• syslog (Send logs via syslog to an endpoint. Use this option when configuring the agent for use with the Datahub. Note: syslog host and port must be set but account key does not need to be passed)
• local (Use local configuration file to specify log files to follow. Note: No need to specify Account Key when running .bat file in local mode)
• GROUP_NAME = Optional. The name of the new log set that will be created. If unspecified the batch file will automatically pass the local host name of the machine.
• SYSLOG_HOST= Required if AGENT_MODE is set to Syslog. Means address of Syslog server (Linux or DataHub).
• SYSLOG_PORT= Required if AGENT_MODE is set to Syslog. Means port of Syslog server.
• FOLLOW_DEFAULT_LOGS= Optional. Means follow (YES) or do not follow (NO) Application, Security and System event logs. Default value is YES.
• FOLLOW_SYSTEM_STATS= Optional. Means collect (YES) or do not collect (NO) system metrics (CPU, memory usage etc). Default value is YES.
• FILTERS_FILE= Optional. Specifies the full path to a file that contains a list of files to be followed that are delimited by a | (vertical line), for example:
     C:\PATH\TO\FILE1.log | FileName
C:\PATH\TO\FILE2.log | File2Name

• FOLLOW_LOG= Optional. Accepts a list of paths to files to be followed immediately after installation. The paths must be delimited by a semicolon, and wrapped in double quotes (“).
NOTES:
• When using the FOLLOW_LOG parameter please use ” to wrap value: FOLLOW_LOG=”C:\Program Files\install.log;C:\Logs\Windows 2012 R2 Web Server 03D2FC16\proc.log”
• FOLLOW_DEFAULT_LOGS= and FOLLOW_SYSTEM_STATS= require a yes or no as the value and not True or False.

## Configuring the agent with the config file

If you have installed the Agent silently and set AGENT_MODE=local then you can configure the Agent follow files based on it's configuration file.

Use your text editor to browse for, and open the config file.

On 64 bit systems the default location is:
C:\Program Files (x86)\Logentries\Logentries Monitoring Agent\config
And on 32bit systems:
C:\Program Files\Logentries\Logentries Monitoring Agent\config

Below is an example config file:

[Main]
user-key = your-account-key

[Application 1]
destination = logset/log
path = C:\path\to\log

[Application 2]
destination = logset/log
path = C:\path\to\log

[Application 3]
path = C:\path\to\log
token =


Where:

• [name] is an appropriate name for your log, placed within the square brackets
• destination is where the logs will be sent in the Logentries Web UI
• path is the local file path to the log to follow
• token is the log token for the destination log in the UI

Once you have entered this information in the Windows Agent’s configuration file and started the service, the Agent will check to see if the “destination” i.e. the Log Set called logset and Log called log exist in your Logentries account. If the “destination” already exists, the logs will be forwarded to the relevant log in your Logentries account. You can use either the destination field or the token field to declare where you’d like the log events to be routed to.

If the destination does not exist, the Agent will create the relevant LogSet/Log in your account and begin forwarding logs there. You can reuse this “destination” across multiple hosts/instances so that logs from different machines are sent to the same location in Logentries.

For information about using the Windows Agent with a Datahub see: https://docs.logentries.com/docs/windows-agent-datahub-forwarding

## Windows Event Logs

Users can follow Windows Event Logs via their configuration file by specifying the the system-event keyword instead of the path keyword in their configuration.

The following is a list of available Windows Event Logs that can be followed via the configuration file.

• Application
• HardwareEvents
• Internet Explorer
• Key Management Service
• PreEmptive
• Security
• System
• TuneUp
• Windows PowerShell

An example configuration file would look like the following.

[Main]
user-key = your-account-key

[Application Event Log]
token = 04aa898d-d4cf-40a1-a827-b02e454645e2
system-event= Application

[Internet Explorer Logs]
token = 57ec5bd0-a5c1-4a28-bd06-3fff27517629
system-event= Internet Explorer

[Powershell Logs]
token = 93c0ec87-ae08-42be-bc13-9ee96d8b04ab
system-event= Windows PowerShell


## Graphical interface installation

To begin the graphical interface installation download the most current Windows Agent zip. Once downloaded, extract the contents of the archive. Locate AgentSetup.exe in the Windows-Agent folder, right-click AgentSetup.exe and select “Run as Administrator.”

Run the install of the agent and click Next on the Welcome screen. On the next screen, specify the installation path and choose Next. On The login screen supply your Logentries credentials to register the machine with your Logentries instance:

You’ll be prompted to choose between direct logging to Logentries or a Syslog server. The Syslog server option is for use with the Logentries DataHub platform. If you are installing the Windows Agent for use with the DataHub, please see the Datahub section of this document below. Otherwise, select “Direct to Logentries” and then click next. If you wish to use the agent in local mode and control settings with a config file please install the agent with the silent installation method (below).

You will then be presented with an Install dialog box where you can proceed with the Install. Click Finish once the Agent has installed.

# GUI Based Configuration

Select the tab appropriate to make the desired configuration changes.

• Agent Mode – Use this tab to change where your logs are sent. If you are configuring the datahub you would need to alter these settings.
• Windows Logs – Follow or unfollow windows systems logs as well as system CPU/memory/disk/network.
• Text Logs – This tab will allow you to follow additional logs, beyond the Windows Events Logs.
• Processes – This tab will allow you to select processes you would like to follow the CPU, Memory, and Disk usage for. These statistics will be logged into the logentries-stats.log.

## Adding text logs with the graphic interface

The Text Logs tab of the graphic interface in the Windows Agent will allow you to follow additional logs, beyond the Windows Events Logs.

To add a log press the plus to the right. On the following screen enter the path to the log and the ID you would like to be associated with the data in the Logentries Web UI.

The Logentries Windows Agent has the ability to add logs that may rotate or change names (e.g., IIS Logs). To add a rotating log manually use a wildcard in the in the name of the log as seen in the image below.

# Command Line

The Windows Agent has a set of command line functions that allow you to follow or remote logs that are to be followed. This makes it exceptionally easy for automation scripts written in Chef, Puppet, or other tools to rapidly deploy the agent to multiple machines. Included with the Agent after installation is an executable called AgentService.exe. This tool has the ability to follow and unfollow log files. For example: