Sending data to Devo / Event sources / Windows / Devo Agent for Windows

Devo Agent for Windows

The Devo Agent for Windows installs the following components:

ProxyServerContainer	Enables communication for sending events to the Devo In-house Relay or directly to the Devo Cloud.
MagicEvent	Monitors the Windows Event Log. Also enables the remote monitoring of Windows systems using WMI (Windows Machine Instrumentation). For more information about WMI, see WMI interface.
MagicLog	Monitors log files on the Windows machine.
MonitorService	Monitors the machine's system performance. This is a component that runs in the background and requires no specific configuration. It requires Microsoft .NET Framework 6.

The Snare agent can collect the events in the Windows Event Logs and send them to Devo using the connection configured by the ProxyServerContainer. This is optional and not included in the Devo Agent installation package. If you need this agent, see the Snare Agent for Windows article.

This article covers the following topics:

A note about process base priority

The default installation directory is C:\Program Files (x86)\DevoAgents. All the configuration files can be found in this directory.

When opening the MagicEvent.Settings.config, MagicLog.Settings.config or ProxyServerContainer.Settings.config files, the base priority of the processes can be found in the following section of the file:

<!-- PROCESS START -->
<add key="StartOptions" value="B"/>

The Start options value can be:

“B” - This is the default for all agent processes. Starts the process with priority set as below normal. This setting is recommended when using MagicLog to send log files from critical and high-load Windows servers. The setting will affect the sending rate and small delays might occur during peak load times. No data will be discarded.

“N” - Starts the process with priority set as normal. This setting is recommended when events need to reach the repository as near real-time as possible.

To check the current value, look for the priority in the process details shown in the task manager.

Before you begin

The Devo Agent requires .NET Framework 4.6

You must uninstall any previous versions of the Devo Agent from your system before installing a more recent version.

Watch this 5-minute video tutorial to get an overview of this process.

Installing the Devo Agent for Windows

Download the Devo Agent for your region: either USA or Europe.
Start the wizard using the executable MSI or EXE file. In the welcome screen, click Next to start the process.

First you need to configure ProxyServerContainer component that will establish a connection with the Devo endpoint of your choice; either the Devo relay or the Devo Cloud. The example below will send events over a secure channel directly to the Devo Cloud.

This table lists and describes the fields in this page. Click Next when you finish.

Listening Port	The port that the ProxyServerContainer listens on. We recommend using the default port 10010.
Udp Listening Port	The port used for sending untagged data using Snare. We recommend using the default port 11011.
Sending Ip Address	The remote IP Address/Hostname where events should be sent. For events sent through the In-house Relay, this will be the IP Address of the relay. If sending events directly to the Devo Cloud, use the hostname of the cloud for your region: Europe: collector-eu.devo.io USA: collector-us.devo.io Spain: collector-es.devo.io
Sending Port	The remote port where the data will be sent. For events to be sent through the In-house Relay, this will be a listening port on the relay. Use 13000 if the events are already tagged correctly. Use 13002 if you need the Devo Relay to apply the box.win tag to the events. If the events are already tagged and you want to send them directly to the Devo Cloud, use port 443. If you do not enable SSL secure sending, go to Administration → Relays in the Devo web application and check which port is assigned to the account. The IP address used to send non-secure data should be also authorized by the user. The authorization is also done on the Relay configuration page previously specified.
Compress Type	Select either None or GZipStream. We do not recommend using compression.
Sending Secure	Select this check box to enable SSL secure sending. If you select this check box, click the Certificate... button to enter the API Key and API Secret of your Devo domain. You can find these using the Devo web applications in Administration → Credentials.
Certificate Subject Distinguished Name	This is the distinguished name of the X.509 certificate used for authenticating the connection. Choose the one in which CN matches the name of your domain.
Store Name	The directory path where the certificates are stored. We recommend selecting My.
Store Location	This is either the LocalMachine or CurrentUser certificate store used for the certificates. We recommend using LocalMachine.

Next, you configure the MagicEvent component for monitoring Windows Event Logs. Here you can identify the specific logs to monitor.

This table lists and describes the fields in this page. Click Next when you finish.

Polling Interval (sec)	The frequency in seconds that MagicEvent will check for updates in the log files.
Max. Degree of Parallelism	The number of processes to be polled by MagicEvent in parallel. A great number of processes will result in a negative impact on performance.
Sending Port	The ProxyServerContainer listening port. We recommend the default port 10010.
Sending Ip Address	The ProxyServerContainer's IP address on the localhost. We recommend the default 127.0.0.1.
Sender Tag	The tag to identify the sending machine. This will always be box.win for the Event Log data.
Machine List File	The directory path and file where the machine list is stored. Usually, this is c:\machines.xml. If changed, the file needs to be created.
Hide Passwords	Select this check box to encrypt the machine list passwords. We recommend you do this.

Select the Add... button to add specific Windows Event Logs to the list of files to monitor. The Edit Machine window appears.

This table lists and describes the fields in this page.

Local Computer	Select this box if the machine is located on the current machine. When selected, the Domain, User, and Password fields are deactivated.
Machine	The name of the machine to be added.
Domain	The domain name of the machine.
User	The name of a user with access permissions for Windows events on the machine.
Password	The user's password.
Event Logs	This area lists the event groups to monitor. Add them using the Event Log and Query fields below.
Event Log	Select the event log to be added.
Query	Optionally enter a query in xpath language and select Add. For example, if you only want to send events with EventID equal to 903, you can use this script in the Query field: System/EventID=903

When your list of Event Logs is complete, click Accept to return to the MagicEvent window. Repeat if you need to add any more machines, then click Next.

To access a remote machine using MagicEvent, the WMI interface must be activated and a user must be created with permissions over performance monitoring and event monitoring user groups.

Now, you configure MagicLog to monitor files on the local machine.

This table lists and describes the fields in this page.

Polling Interval	The frequency in seconds that MagicLog will check for updates in the log files.
Max. Degree Of Parallelism	The number of processes to be polled by MagicLog in parallel. A great number of processes will result in a negative impact on performance.

Once finished, select the Add... button to add a new folder to monitor.

The Add Folder window appears.

This table lists and describes the fields in this page. Once finished, select the Accept button. Repeat if you need to add any more folders to monitor, then click Next.

Name	Assign a name for the sending configuration.
Folder Path	The path where the files(s) are sent.
File Pattern	Specify the file extension (.log, .csv or *.*).
File Format	Select TEXT (normal ASCII format), EVTX (Windows event file exportation format) or NEWTEXT (to support Unicode files better).
Search Option	To send events only from the log files located in the actual directory specified in Folder Path or should all possible subdirectories be checked for log files as well.
Destination IP	The IP address where events should be sent. This should be the ProxyServerContainer so use the default localhost 127.0.0.1
Port	The sending port destination. We recommend the default port 10010
Protocol	Select either TCP or UDP. We recommend using TCP.
Facility	Specify a facility number for the sending process.
Tag	The Devo tag that identifies the log source being monitored.
Ignore Lines	Here you can indicate if any specific lines should be ignored from sending.
Delete When Finished	Select this box to delete the event from the original log file once it's been sent.
Delete If Older Than	Number of days to wait before deleting events from the log file.

Select the checkboxes of the components you want to start right away, then click Finish.

Modifying the agent's configuration

Once installed and running, you can make modifications to the configuration of the agent's components by re-launching the MagicConfigApp.exe file. In the final step of the wizard, you must select the checkbox for each component you have modified in order to restart the service(s) and put the changes into effect.

Download as PDF

Did you find what you were looking for?

If not, please let us know what you need. Your feedback will help us to improve.