Devo Agent for Windows events sending

The Devo Agent for Windows contains the following components:

                       

MagicLog Monitors log files.
MagicEvent Enables the remote monitoring of Windows systems using WMI (Windows Machine Instrumentation). For more information about WMI, see WMI interface.
MonitorService Monitors Windows system performance.
ProxyServerContainer Enables communication for sending events to the Devo In-house Relay or directly to the Devo data node.

The Snare agent collects the events in the Windows Event Logs and sends them over UDP. This is an optional component and not included in the Devo agent installation package. In case you need to use it, check the Windows Snare agent article

Process base priority

The default installation directory is C:\Program Files (x86)\DevoAgents. All the configuration files can be found on the installation directory.

When opening the MagicEvent.Settings.config, MagicLog.Settings.config or ProxyServerContainer.Settings.config files, the base priority of the processes can be found in the following section of the file:

<!-- PROCESS START -->
<add key="StartOptions" value="B"/>

The used Start options values for processes are:

  • “B” - Start the process with priority set as below the normal. This setting is recommended for all critical and high load Windows servers when sending log files using MagicLog. The setting will affect the events sending rate and some small delay might occur in high load peaks. No data will be discarded.
  • “N” - Start the process with priority set as normal. This setting could be used, for example, when events are needed to be sent as near real-time as possible.
  • The default value for all processes is “B” - Below normal

To check the current value, open the task manager and see the priority used in the process details.

Devo Agent installation

The Devo Agent requires .NET Framework 4.6

  • Click here to download the USA agent.
  • Click here to download the EU agent.

You must uninstall any previous versions of the Devo Agent from your system before installing a more recent version.

Before starting the installation process, you can check the following video to learn more about the Devo Agent settings and how to monitor data in the Devo application.



  1. Start the installation using the executable MSI or EXE file. In the welcome screen, click Next to start the process.



  2. Configure ProxyServerContainer.

    This table lists and describes the fields in this page. Click Next when you finish.

    Listening Port

    The port that the ProxyServerContainer listens on. We recommend using the default port 10010.

    Udp Listening Port 

    The port used for sending untagged data using Snare. We recommend using the default port 11011.

    Sending Ip Address

    The remote IP Address/Hostname where events should be sent. For example, for events to be sent through the In-house Relay, this will be the IP Address of the relay.

    Sending Port

    The remote port where the data will be sent. 

    For events to be sent through the In-house Relay, this will be a listening port on the relay. Use 13000 if the events to be sent will be tagged by the Devo agent. Use 13003 if the events to be sent will be tagged by the relay. 

    However, if you are bypassing relays and sending directly to the Devo cloud, use port 443.

    If you do not enable SSL secure sending, go to Administration → Relays in the Devo web application and check which port is assigned to the account. The IP address used to send non-secure data should be also authorized by the user. The authorization is also done on the Relay configuration page previously specified.

    Compress Type

    Select either None or GZipStream. We do not recommend using compression.

    Sending Secure

    Select this check box to enable SSL secure sending.

    Certificate Subject Distinguished Name

    This is the distinguished name of the X.509 certificate used for authenticating the connection. Choose the one in which CN matches the name of your domain.

    Store Name

    The directory path where the certificates are stored. We recommend selecting My.

    Store Location

    This is either the LocalMachine or CurrentUser certificate store used for the certificates. We recommend using LocalMachine.

  3. The next step shows the MagicEvent configuration. 



    This table lists and describes the fields in this page. Click Next when you finish.

    Polling Interval (sec) The frequency in milliseconds that the WMI server will send an update request to the agent.
    Max. Degree of Parallelism The number of processes to be polled by the WMI service in parallel. A greater number of processes will result in a negative impact on performance.
    Sending Port  The ProxyServerContainer listening port. We recommend the default port 10010.
    Sending Ip Address The ProxyServerContainer's IP address on the localhost. We recommend the default 127.0.0.1.
    Sender Tag The tag to identify the sending machine. This will always be box.win.
    Machine List File  The directory path and file where the machine list is stored. Usually, this is c:\machines.xml. If changed, the file needs to be created.
    Hide Passwords Select this check box to encrypt the machine list passwords. We recommend you do this.
  4. Select the Add... button to add a new machine to the list. The Edit Machine window appears.

    This table lists and describes the fields in this page. 

    Local Computer Select this box if the machine is located on the current machine. When selected, the Domain, User, and Password fields are deactivated.
    Machine The name of the machine to be added.
    Domain The domain name of the machine.
    User The name of a user with access permissions for Windows events on the machine.
    Password The user's password.
    Event Logs This area lists the event groups to monitor. Add them using the Event Log and Query fields below.
    Event Log Select the event log to be added.
    Query Enter the required query in xpath language and select Add.

    Click Accept once you finish to go back to the MagicEvent window, then click Next.

    To access a remote machine using MagicEvent, the WMI interface must be activated and a user must be created with permissions over performance monitoring and event monitoring user groups. 

  5. Configure MagicLog.

    This table lists and describes the fields in this page. 

    Polling Interval

    The frequency in milliseconds that MagicLog will check for updates in the log files.

    Max. Degree Of Parallelism

    The number of processes to be polled by MagicLog in parallel. A great number of processes will result in a negative impact on performance.

    Once finished, select the Add... button to add a new folder. 

  6. The Add Folder window appears. Configure a new folder to monitor.


    This table lists and describes the fields in this page. Once finished, select the Accept button to save the new folder and return to the MagicLog page, then click Next.

    Name

    Assign a name for the sending configuration.

    Folder Path

    The path where the files(s) are sent.

    File Pattern

    Specify the file extension (*.log, *.csv or *.*).

    File Format

    Select TEXT (normal ASCII format), EVTX (Windows event file exportation format) or NEWTEXT (to support Unicode files better).

    Search Option

    To send events only from the log files located in the actual directory specified in Folder Path or should all possible subdirectories be checked for log files as well.

    Destination IP

    The IP address where events should be sent. We recommend the default localhost 127.0.0.1

    Port

    The sending port destination. We recommend the default port 10010

    Protocol

    Select either TCP or UDP. We recommend using TCP.

    Facility

    Specify a facility number for the sending process.

    Tag

    The actual tag to identify the log format being sent.

    Ignore Lines

    Define if some specific lines should be ignored from sending.

    Delete When Finished

    Specify if the event should be deleted from the log file after being sent.

    Delete If Older Than

    Specify a time in days to wait before events are deleted from the log file.

  7. The wizard End page lets you select the services that you would like to activate immediately.

    Select Finish to end the process.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US