How to install the EventLog Analyzer agent on Windows devices: Manual installation

How to install the EventLog Analyzer agent on Windows devices: Manual installation

Overview   

EventLog Analyzer requires agents in specific scenarios to ensure seamless log collection and file monitoring:
  • Windows file server monitoring: An agent is required to monitor files on Windows file servers.
  • RPC connectivity issues: An agent is required when RPC communication between the log source and the EventLog Analyzer server fails.
  • Air-gapped environment: An agent is required to collect logs from isolated networks and securely transfer them to the EventLog Analyzer server, as direct connectivity is not available.

Prerequisites   

To ensure optimal performance of the Windows agent, the following system requirements must be met. The specifications vary based on the expected log flow rate, categorized into Low, Normal, and High flow environments.
Recommended system specifications  
 
Low flow
(≤ 300 EPS)
Normal flow
(≤ 1500 EPS)
High flow
(≤ 3000 EPS)
Processor cores
4
6
12
RAM
8GB
12GB
16GB
Free disk space*
20GB
20GB
20GB
CPU architecture
32/64bit
32/64bit
32/64bit

*For environments using offline log collection, the available disk space must be at least 1GB greater than the maximum size configured for the agent’s data directory.
 
Important notes:
  • To prevent high RAM utilization in the agent-installed device, ensure that the total size of the evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in the evtx channel).
  • To modify log size, open Event Viewer > right click the required channel > Log Properties, and then modify Maximum Log Size.
Supported operating systems  
Windows:  
  • Windows XP and above (client OS)
  • Windows Server 2003 and above (server OS)

Steps to follow

Method 1

 On the  machine where the agent is about to be installed, open a browser and paste the following command into the browser's URL:
  • <eventlog_server>:<eventlog_server_port>/event/downloadMsi.nms?platform=windows
In the above command:
<eventlog_server> is the name of the server on which EventLog Analyzer is installed.
<eventlog_server_port> is the web server port used by EventLog Analyzer (by default, Eventlog Analyzer uses web server port 8400 for HTTP).
For example: localhost:8400/event/downloadMsi.nms?platform=windows
  • EventLogAgent.msi will be downloaded automatically. Double-click EventLogAgent.msi to start installation.
  • After clicking Next in the welcome screen and the Confirm Installation dialog box, the following dialog box will be displayed. Enter the details and click OK.
An example image is provided below.
Note: You can get the server details using the Connection Settings tab (Settings > under System Settings, click Connection Settings) and the system diagnostics (Settings > under System Settings, click System Diagnostics) from the EventLog Analyzer UI. The images below are for your reference.
----------------------------------------------------------------------------------------------------------------------

Method 2

From the  server where EventLog Analyzer is installed, navigate to the product installation directory—<dir>: ManageEngine\EventLog Analyzer\lib\native—and copy the EventLogAgent.msi file.
Paste and directly run the MSI file on the chosen Windows endpoints to install the EventLog Analyzer agent. The image below is for your reference.
Note: You can get the server details using the Connection Settings tab (Settings > under System Settings, click Connection Settings) and the system diagnostics (Settings > under System Settings, click System Diagnostics) from the EventLog Analyzer UI. The images below are for your reference.

  Tips   

  • Use agent-based collection for high-volume sources
    Deploy agents on devices that generate a high volume of logs to offload processing from the EventLog Analyzer server and improve overall performance.
  • Ensure agent connectivity to the server
    Confirm that the installed agents can communicate with the EventLog Analyzer server over the configured port (default: 8400). Use tools like TelNet or Test-NetConnection for verification.
  • Monitor agent health regularly
    Use the Manage Agents dashboard in EventLog Analyzer to monitor agent status, version, and last communication time. This ensures agents are up to date and functioning correctly.
  • Automate deployment for scalability
    For large environments, use GPOs, SCCM, or Endpoint Central to deploy agents in bulk, ensuring consistency and saving time.
 
 
 


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                      Related Products