Installing the Windows Agent allows our customers to follow logs on windows based servers or workstations as well as send system information from the machines to be displayed in the Logentries Web UI.
- Allows you to send your logs to Logentries with a quick installation and registration process.
- Can be deployed silently through the command line or through a graphical interface.
- Easily follow and unfollow logs
- Seamlessly integrate with Datahub
The Windows Agent can be configured to operate in one of the following three modes:
- Direct: Send logs to Logentries. Available during graphic installation and silent installations.
- Syslog: Send logs via syslog to an endpoint. Use this option when configuring the agent for use with the Datahub. Available during graphic installation and silent installations.
- Local: Use local configuration file to specify log files to follow. Available only during silent installations.
There two primary ways to install the Logentries Windows Agent are below:
- Command Line Installation – Ideal for automating many installations. Required installation method if you wish to use the agent in local mode and control settings with a config file.
- Graphical Interface Installation – Easiest to get setup.
- install.bat – When executed this batch file will prompt you through the installation of the Windows Agent. If the batch file is passed proper parameters when called it can install the Windows Agent silently.
- AgentSetup.msi – A Microsoft Software Installer file for use with the install.bat script.
In order to perform a silent installation, you must pass the proper parameters when calling install.bat. The installation requires administrator privileges.
Before performing the installation, you must obtain the Account Key from your Logentries account. For more information on finding your account please see this help document.
A basic silent installation would be as follows:
You can also specify the follow additional parameters.
- AGENT_MODE= Optional. The ability to set what mode the Agent will start in. Options are,
- direct (Send logs to Logentries)
- syslog (Send logs via syslog to an endpoint. Use this option when configuring the agent for use with the Datahub. Note: syslog host and port must be set but account key does not need to be passed)
- local (Use local configuration file to specify log files to follow. Note: No need to specify Account Key when running .bat file in local mode)
- GROUP_NAME = Optional. The name of the new log set that will be created. If unspecified the batch file will automatically pass the local host name of the machine.
- SYSLOG_HOST= Required if AGENT_MODE is set to Syslog. Means address of Syslog server (Linux or DataHub).
- SYSLOG_PORT= Required if AGENT_MODE is set to Syslog. Means port of Syslog server.
- FOLLOW_DEFAULT_LOGS= Optional. Means follow (YES) or do not follow (NO) Application, Security and System event logs. Default value is YES.
- FOLLOW_SYSTEM_STATS= Optional. Means collect (YES) or do not collect (NO) system metrics (CPU, memory usage etc). Default value is YES.
- FILTERS_FILE= Optional. Specifies the full path to a file that contains a list of files to be followed that are delimited by a | (vertical line), for example:
C:\PATH\TO\FILE1.log | FileName C:\PATH\TO\FILE2.log | File2Name
- FOLLOW_LOG= Optional. Accepts a list of paths to files to be followed immediately after installation. The paths must be delimited by a semicolon, and wrapped in double quotes (“).
- When using the FILTERS_FILE parameter the full path to the file must be specified: FILTERS_FILE=C:\Users\Administrator\Downloads\Windows-Agent\filterfile.txt
- When using the FOLLOW_LOG parameter please use ” to wrap value: FOLLOW_LOG=”C:\Program Files\install.log;C:\Logs\Windows 2012 R2 Web Server 03D2FC16\proc.log”
- The installation requires administrator privileges. The INSTALL.BAT will automatically ask for administrative rights.
- FOLLOW_DEFAULT_LOGS= and FOLLOW_SYSTEM_STATS= require a yes or no as the value and not True or False.
If you have installed the Agent silently and set AGENT_MODE=local then you can configure the Agent follow files based on it's configuration file.
To edit the config file, please run Notepad ( or other editor) as an Administrator.
Use your text editor to browse for, and open the config file.
On 64 bit systems the default location is:
C:\Program Files (x86)\Logentries\Logentries Monitoring Agent\config
And on 32bit systems:
C:\Program Files\Logentries\Logentries Monitoring Agent\config
Below is an example config file:
[Main] user-key = your-account-key [Application 1] destination = logset/log path = C:\path\to\log [Application 2] destination = logset/log path = C:\path\to\log [Application 3] path = C:\path\to\log token =
- [name] is an appropriate name for your log, placed within the square brackets
- destination is where the logs will be sent in the Logentries Web UI
- path is the local file path to the log to follow
- token is the log token for the destination log in the UI
Once you have entered this information in the Windows Agent’s configuration file and started the service, the Agent will check to see if the “destination” i.e. the Log Set called logset and Log called log exist in your Logentries account. If the “destination” already exists, the logs will be forwarded to the relevant log in your Logentries account. You can use either the destination field or the token field to declare where you’d like the log events to be routed to.
If the destination does not exist, the Agent will create the relevant LogSet/Log in your account and begin forwarding logs there. You can reuse this “destination” across multiple hosts/instances so that logs from different machines are sent to the same location in Logentries.
For information about using the Windows Agent with a Datahub see: https://docs.logentries.com/docs/windows-agent-datahub-forwarding
Users can follow
Windows Event Logs via their configuration file by specifying the the
system-event keyword instead of the
path keyword in their configuration.
The following is a list of available
Windows Event Logs that can be followed via the configuration file.
- Internet Explorer
- Key Management Service
- Windows PowerShell
An example configuration file would look like the following.
Main user-key = your-account-key Application Event Log token = 04aa898d-d4cf-40a1-a827-b02e454645e2 system-event= Application Internet Explorer Logs token = 57ec5bd0-a5c1-4a28-bd06-3fff27517629 system-event= Internet Explorer Powershell Logs token = 93c0ec87-ae08-42be-bc13-9ee96d8b04ab system-event= Windows PowerShell
To begin the graphical interface installation download the most current Windows Agent zip. Once downloaded, extract the contents of the archive. Locate AgentSetup.exe in the Windows-Agent folder, right-click AgentSetup.exe and select “Run as Administrator.”
Run the install of the agent and click Next on the Welcome screen. On the next screen, specify the installation path and choose Next. On The login screen supply your Logentries credentials to register the machine with your Logentries instance:
You’ll be prompted to choose between direct logging to Logentries or a Syslog server. The Syslog server option is for use with the Logentries DataHub platform. If you are installing the Windows Agent for use with the DataHub, please see the Datahub section of this document below. Otherwise, select “Direct to Logentries” and then click next. If you wish to use the agent in local mode and control settings with a config file please install the agent with the silent installation method (below).
You will then be presented with an Install dialog box where you can proceed with the Install. Click Finish once the Agent has installed.
Open the “Logentries Agent Settings” application from your Start Menu.
Select the tab appropriate to make the desired configuration changes.
- Agent Mode – Use this tab to change where your logs are sent. If you are configuring the datahub you would need to alter these settings.
- Windows Logs – Follow or unfollow windows systems logs as well as system CPU/memory/disk/network.
- Text Logs – This tab will allow you to follow additional logs, beyond the Windows Events Logs.
- Processes – This tab will allow you to select processes you would like to follow the CPU, Memory, and Disk usage for. These statistics will be logged into the logentries-stats.log.
The Text Logs tab of the graphic interface in the Windows Agent will allow you to follow additional logs, beyond the Windows Events Logs.
To add a log press the plus to the right. On the following screen enter the path to the log and the ID you would like to be associated with the data in the Logentries Web UI.
The Logentries Windows Agent has the ability to add logs that may rotate or change names (e.g., IIS Logs). To add a rotating log manually use a wildcard in the in the name of the log as seen in the image below.
The Windows Agent has a set of command line functions that allow you to follow or remote logs that are to be followed. This makes it exceptionally easy for automation scripts written in Chef, Puppet, or other tools to rapidly deploy the agent to multiple machines. Included with the Agent after installation is an executable called AgentService.exe. This tool has the ability to follow and unfollow log files. For example:
"AgentService.exe follow c:\logs\log1.txt"
"AgentService remove c:\logs\logABC.txt"
The above two commands will add log1.txt and remove logABC.txt.
If you are in the same directory as the text or log file then you do not need to specify the full path.