How to install EventLog Analyzer Agent - Endpoint Central
Objective
EventLog Analyzer requires agents in one of the following scenarios,
- If you want to monitor all changes (addition/deletion/modification) made to files and folders in Windows and Linux systems.
- If there are any RPC connectivity issues between the log source and the EventLog Analyzer server.
- Installation of Windows agent application is mandatory to collect Windows eventlogs for EventLog Analyzer deployed on Linux operating systems.
Prerequisites
To ensure optimal performance of the Windows Agent, the following system requirements must be met. The specifications vary based on the expected log flow rate, categorized into Low, Normal, and High flow environments.
Recommended System Specifications
Low Flow (≤ 300 EPS) | Normal Flow (≤ 1500 EPS) | High Flow (≤ 3000 EPS) | |
Processor Cores | 4 | 6 | 12 |
RAM | 8GB | 12GB | 16GB |
Free disk space* | 20GB | 20GB | 20GB |
CPU Architecture | 32/64bit | 32/64bit | 32/64bit |
*For environments using offline log collection, the available disk space must be at least 1 GB greater than the maximum size configured for the agent’s data directory.
Important Notes:
- To prevent high RAM utilization in the agent-installed device, ensure that the total size of the evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in Evtx channel).
- To modify log size, open Event Viewer > right click on the required channel > Log Properties and then modify Maximum Log Size.
Supported Operating Systems
EventLog Analyzer agent can be installed and run on the following operating systems
Windows:
- Windows XP and above (Client OS)
- Windows Server 2003 and above (Server OS)
- Windows Workstation Windows 8 & above (Workstation OS)
Linux:
- Linux RedHat RHEL
- Linux SuSE
- Linux Fedora
- Linux CentOS
- Linux Ubuntu
- Linux Debian
Steps to follow
For Windows:
- In the Endpoint central application, login as the built-in admin and go to Software Deployment > Packages > Add Package.
- Select Windows and define:
- Package Name: ELA Agent
- Package Type: Select EXE / APPX / MSIEXEC / MSU
- License Type: Select Commercial from the drop-down menu.
- Locate installable: Upload MSI or specify shared path. (The msi file will be present in the following directory - <dir>: ManageEngine\EventLog Analyzer\lib\native)
- In the Install command field:
msiexec.exe /i "EventLogAgent.msi" /qn /norestart /L*v "Agent_Install.log" SERVERNAME=<name> SERVERIPADDRESS=<ip> SERVERPORT=<port> SERVERPROTOCOL=<protocol> ENABLESILENT=yes ALLUSERS=1
The images below are for your reference.
- Click on Add Package to save.
Note: The ENABLESILENT field is used to ensure that the installation runs silently, i.e., without user interaction.
For Linux:
Please check out the installation steps instructed in the following link: Linux Software deployment | ManageEngine Endpoint Central
Tips
- Use Agent-Based Collection for High-Volume Sources
Deploy agents on devices that generate a high volume of logs to improve overall performance.
- Ensure Agent Connectivity to the Server
Confirm that the installed agents can communicate with the EventLog Analyzer server over the configured port (default: 8400). Use tools like telnet or Test-NetConnection for verification.
- Monitor Agent Health Regularly
Use the Manage Agents UI in EventLog Analyzer(Settings -> Admin Settings -> Management -> Agents) to monitor agent status, version, and last communication time. This ensures agents are up to date and functioning correctly.
- Automate Deployment for Scalability
For large environments, prefer using Group Policy Objects (GPOs), SCCM, or Endpoint Central to deploy agents in bulk, ensuring consistency and saving time.
Related topics and articles
New to ADSelfService Plus?
Related Articles
How to install the EventLog Analyzer agent on Windows devices: Manual installation
Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...How to upgrade the EventLog Analyzer Agent?
Usually, an agent upgrade would happen automatically if the credentials provided for agents under the "Manage agents" section are valid or has the appropriate rights for accessing services or logs in the agent machine. However, in recent builds ...How to install EventLog Analyzer Agent on Windows Devices using Microsoft SCCM
Overview EventLog Analyzer requires agents in specific scenarios to ensure proper log collection and file monitoring: Windows File Server Monitoring: Agent is required for monitoring files in Windows file servers. RPC connectivity issues: If RPC ...How to install the EventLog Analyzer agent on Windows devices using a GPO
Overview EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring: Windows file server monitoring: An agent is required to monitor files on Windows file servers. RPC connectivity issues: An agent ...How to install an Agent?
If you want to install an agent from EventLog Analyzer server, please navigate to "Settings -> Admin Settings -> Manage Agents". Enter the agent name, domain name, login name and password. (Make sure you enter domain admin name/local admin name to ...