Overview   

• Windows file server monitoring: An agent is required to monitor files on Windows file servers.
• RPC connectivity issues: An agent is required when RPC communication between the log source and the EventLog Analyzer server fails.
• Air-gapped environment: An agent is required to collect logs from isolated networks and securely transfer them to the EventLog Analyzer server, as direct connectivity is not available.

Prerequisites   

• Have the Group Policy Management feature installed on a computer running Windows Server or a Windows client operating system.
• Have permissions to edit, delete, and modify security permissions for the GPO.
• To link GPOs, you need the modify permission on that site, domain, or OU. By default, only Domain Administrators and Enterprise Administrators have this permission.
• Users and groups with permission to link GPOs to a specific site, domain, or OU can link GPOs; change link order; and set block inheritance on that site, domain, or OU.
  

• InstallEventLogAgent.vbs [path: <Installation Directory>\ManageEngine\EventLog Analyzer\tools\scripts]
• EventLogAgent.msi [path: <Installation directory>:\EventLog Analyzer\lib\native]

• To prevent high RAM utilization in the agent-installed device, ensure that the total size of the evtx logs is equivalent to 20 minutes of log data. This can be calculated by the time difference at which the first and last log entries were made (timestamps can be found in the evtx channel).
  

• To modify log size, open Event Viewer > right click the required channel > Log Properties, and then modify Maximum Log Size.

• Windows XP and above (client OS)
• Windows Server 2003 and above (server OS)

Steps to follow

• Open Group Policy Management.
• Right-click Group Policy Objects > New > name the GPO.
  

• Right-click and Edit the GPO.

• For Windows server OS 2003: Navigate to Windows Settings > Scripts (Startup).
• For Windows server OS 2008+: Policies > Windows Settings > Scripts (Startup).
  

• In the Add Script dialog box, click Browse and select InstallEventLogAgent.vbs from the shared location along with the following parameters:

• Click Apply and then OK.

• Go to the left pane of the Group Policy Management Editor and navigate to Computer Configuration > Admin Templates > System > Scripts.
• In the right pane of the GPO Editor, double-click Run logon scripts synchronously and enable it.
• Click Apply and then OK.

• Similarly, enable Specify maximum wait time for Group Policy scripts.
• Then, navigate to Logon under System.
• In the right pane, double-click Always wait for the network at startup and logon and enable it.
• Click Apply and then OK.

• Then, navigate to Group Policy under System.
• In the right pane, double-click Group Policy slow link detection and enable it.
• Click Apply and then OK.
  

• In the left pane of the Group Policy Management Editor, right-click the GPO you are working on and select Properties.
• Navigate to the Security tab and unselect Apply Group Policy permissions for Authenticated Users.
• Click Add, and in the dialog box that appears, click Object Types.

• If you want to apply the GPO to computers directly, ensure Computers is selected and then click OK. For applying it to a group, ensure Groups is selected and then click OK.
• Enter the name of the desired computer(s) and/or group(s) and click Check Names.
• Select the desired computer(s) and/or group(s) and click OK to return to the properties dialog box.

• Click Apply and then OK.
• Right-click the domain and click  Link an Existing GPO....
  
  
  
  
  

• Now select the GPO you are working on and click OK.
  

• Restart the computers to finish applying the GPO and wait for the Reset Password / Unlock Account link to appear on the Windows logon screen.
  

 Tips   

• Use agent-based collection for high-volume sources
  Deploy agents on devices that generate a high volume of logs to offload processing from the EventLog Analyzer server and improve overall performance.

• Ensure agent connectivity to the server
  Confirm that the installed agents can communicate with the EventLog Analyzer server over the configured port (default: 8400). Use tools like TelNet or Test-NetConnection for verification.

• Monitor agent health regularly
  Use the Manage Agents dashboard in EventLog Analyzer to monitor agent status, version, and last communication time. This ensures agents are up to date and functioning correctly.

• Automate deployment for scalability
  For large environments, use GPOs to deploy agents in bulk, ensuring consistency and saving time.