How to install EventLog Analyzer Agent on Windows Devices using Microsoft SCCM

How to install EventLog Analyzer Agent on Windows Devices using Microsoft SCCM

Overview

EventLog Analyzer requires agents in specific scenarios to ensure proper log collection and file monitoring:
  • Windows File Server Monitoring: Agent is required for monitoring files in Windows file servers.
  •  RPC connectivity issues: If RPC communication fails between the log source and EventLog Analyzer.
  • Air-gapped environment: An agent is required to collect logs from isolated networks and securely transfer them to the EventLog Analyzer server, as direct connectivity is not available.

Prerequisites   

  1. MSI package availability
    • Ensure the EventLogAgent.msi file is available in a network-shared folder accessible by all target devices.
    • Default location: <EventLog Analyzer Installation Directory>\lib\native\
  1. Administrative privileges
    • The SCCM deployment account must have local administrator rights on all client machines.
  1. SCCM client installed
    • All target systems must have the SCCM client installed and active.
  1. Network accessibility
    • The client systems must have network access to the EventLog Analyzer server via the specified:
      • IP address / hostname
      • Port (default is 8400 for http and 8445 for https)
      • Protocol (HTTP/HTTPS)
  1. Firewall/antivirus exceptions
    • Ensure no firewall or antivirus settings block:
      • The MSI execution
      • Communication to the EventLog Analyzer server on the specified port
  1. Command line syntax validation
    • All variables in the script (e.g., SERVERNAME, SERVERIPADDRESS, etc.) must be valid and match the actual server configuration.
  1. SCCM distribution and deployment settings
    • The application/package must be:
      • Distributed to the correct Distribution Points
      • Deployed with "Install for system" context
      • Set to run whether the user is logged in or not
  1. Silent install compatibility
    • Ensure the environment supports silent installations using /qn flag (quiet mode) without any user prompts.
General prerequisites

To ensure optimal performance of the Windows Agent, the following system requirements must be met. The specifications vary based on the expected log flow rate, categorized into LowNormal, and High flow environments.

Recommended system specifications  
 Low Flow
(≤ 300 EPS)		Normal Flow
(≤ 1500 EPS)		High Flow
(≤ 3000 EPS)
Processor cores4612
RAM8GB12GB16GB
Free disk space*20GB20GB20GB
CPU architecture32/64bit32/64bit32/64bit

*For environments using offline log collection, the available disk space must be at least 1 GB greater than the maximum size configured for the agent’s data directory.
 
Important Notes:
  • To prevent high RAM utilization in the agent-installed device, ensure that the total size of the Evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in Evtx channel).
  • To modify log size, open Event Viewer > right click the required channel > Log Properties and then modify Maximum Log Size.
Supported operating systems  
Windows:  
  • Windows XP and above (Client OS)
  • Windows Server 2003 and above (Server OS)

Steps to follow

Step 1: Place the EventLogAgent.msi installer in a network-shared folder.  You can get the file from the following location: <dir>: ManageEngine\EventLog Analyzer\lib\native.
Step 2: Then, switch on the devices where the agent needs to be installed, execute the following command:

msiexec.exe /i "EventLogAgent.msi" /qn /norestart /L*v "Agent_Install.log" SERVERNAME=<server_name> SERVERIPADDRESS=<IP> SERVERPORT=<port> SERVERPROTOCOL=<protocol> ENABLESILENT=yes ALLUSERS=1

Example:
msiexec.exe /i "EventLogAgent.msi" /qn /norestart /L*v "Agent_Install.log" SERVERNAME="me-eventlog" SERVERIPADDRESS="10.51.241.163" SERVERPORT="8400" SERVERPROTOCOL="http" ENABLESILENT=yes ALLUSERS=1

Note: The ENABLESILENT field is used to ensure that the installation runs silently, i.e., without user interaction.

Tips   

  • Use agent-based collection for high-volume sources
    Deploy agents on devices that generate a high volume of logs to offload processing from the EventLog Analyzer server and improve overall performance.
  • Ensure agent connectivity to the server
    Confirm that the installed agents can communicate with the EventLog Analyzer server over the configured port (default: 8400). Use tools like telnet or Test-NetConnection for verification.
  • Monitor agent health regularly
    Use the Manage Agents dashboard in EventLog Analyzer to monitor agent status, version, and last communication time. This ensures agents are up to date and functioning correctly.
  • Automate deployment for scalability
    For large environments, prefer using SCCM to deploy agents in bulk, ensuring consistency and saving time.
 
 
 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products