Installation – Blue Lance

Prerequisites

peter thomas — Tue, 02 Jun 2026 23:22:23 +0000

Before installing EventLogCentral, confirm that your environment meets the following requirements for both the EventLogCentral server and the EventLogAgent clients that will be deployed to monitored systems.

EventLogCentral Server requirements:

Requirement	Details
Operating System	Windows Server 2019 or newer
Browser	Chrome, Firefox, Microsoft Edge, or Safari
Privileges	Local administrator account required
Network	Network connectivity to all managed EventLogAgent clients
IP Address	Static IP address or DNS hostname recommended for production deployments

EventLogAgent client requirements:

Requirement	Details
Operating System	Windows Server 2016 or newer, Windows 10, or Windows 11
Privileges	Local administrator account required for installation
Network	Outbound connectivity to the EventLogCentral server on port 52966

Network requirements:

Port	Protocol	Direction	Purpose
52965	HTTP	Inbound to server	EventLogCentral web UI (non-secure)
52966	HTTPS	Inbound to server	EventLogCentral web UI and agent communication (recommended)
514	UDP/TCP	Outbound from agents	Default syslog forwarding to LT Auditor ^MP or other targets
6514	TCP/TLS	Outbound from agents	Secure syslog forwarding to LT Auditor ^MP or other targets

[Your administrator should confirm the exact ports required in your environment and ensure firewall rules are in place before proceeding with installation.]

Download packages:

Two separate installation packages are required — one for the EventLogCentral server and one for the EventLogAgent clients:

Package	Purpose
lta-mp-eventlogcentral.zip	EventLogCentral server installation
lta-mp-eventlogagent.zip	EventLogAgent client installation

[Your administrator should confirm where to obtain the current installation packages for your environment.]

SSL certificate considerations:

EventLogCentral automatically generates a self-signed TLS certificate during server installation. If self-signed certificates are used:

The public certificate file (ltaeventlog.cer) must be distributed to all EventLogAgent client machines so agents can trust the EventLogCentral server certificate
Alternatively, a custom TLS certificate can be installed on the server — see the Installing EventLogCentral Server article for details

If your organization requires a trusted CA-signed certificate rather than the auto-generated self-signed certificate, prepare the certificate before beginning installation.

LT Auditor ^MP requirements:

Requirement	Details
LT Auditor ^MP Server	Must be installed and running
Syslog Listener	Must be active and configured to receive EventLogCentral forwarded events

[Your administrator should confirm the LT Auditor ^MP syslog listener port and protocol before configuring forwarding targets in EventLogCentral.]

Prerequisites checklist:

[ ] EventLogCentral server meets Windows Server 2019 or newer requirement
[ ] Static IP address or DNS hostname is assigned to the EventLogCentral server
[ ] Required firewall ports are open between agents and the EventLogCentral server
[ ] LT Auditor ^MP server is installed and running with syslog listener active
[ ] Both installation packages are available
[ ] SSL certificate approach is decided — self-signed or custom CA certificate
[ ] Local administrator credentials are available on the server and all agent machines

[Your administrator should complete this checklist before proceeding to the installation articles.]

Installing EventLogCentral Server

peter thomas — Tue, 02 Jun 2026 23:19:59 +0000

This article covers the installation of the EventLogCentral server component. The server hosts the web-based administrative interface and manages configuration for all EventLogAgent clients in your environment. Complete this installation before deploying any EventLogAgent clients.

Step 1 — Download and prepare the installation package:

Download the following installation package:

lta-mp-eventlogcentral.zip

If the ZIP file was downloaded from the internet:

Right-click the ZIP file
Select Properties
Click Unblock if present
Click Apply

Extract the contents of the ZIP file to a temporary folder.

Step 2 — Run the installer:

Locate the installer in the extracted folder:

LTA_EventLogCentral.msi

Right-click the MSI file and select Install. Follow the installation wizard prompts to complete the installation.

By default, the application installs to:

C:\Program Files\Blue Lance 2-0\LTA_EventLogCentral

Step 3 — SSL certificate:

During installation, EventLogCentral automatically generates a self-signed TLS certificate:

File	Location	Purpose
ltaeventlog.pfx	C:\Program Files\Blue Lance 2-0\certs	Server TLS certificate used for HTTPS and agent communication
ltaeventlog.cer	C:\Program Files\Blue Lance 2-0\certs	Public certificate file — must be distributed to all EventLogAgent client machines when using self-signed certificates

Using a custom TLS certificate:

If your organization requires a custom CA-signed certificate instead of the auto-generated self-signed certificate:

Replace the existing certificate file in the certs folder with your custom certificate
Ensure the certificate:
- Supports Server Authentication
- Matches the server hostname or DNS name
If the replacement certificate is password protected, update the following Windows environment variable with the certificate password:

LTAEVENTLOG_CERT_PASSWORD

If the replacement certificate uses a different filename, update the appsettings.json file:
- Locate the https:certificate setting
- Update the value to reference the new certificate filename
Restart the LT Auditor ^MP Event Log Server Service to apply the certificate changes

Step 4 — Verify the installation:

After installation completes:

Open a browser on the server
Navigate to:

https://:52966

Confirm the EventLogCentral login page appears
Confirm the LT Auditor ^MP Event Log Server Service is running:

sc query “LT Auditor-MP Event Log Server Service”

The service should show as Running.

Step 5 — First time login:

On first access, log in using the default administrator credentials:

Field	Value
Username	admin
Password	TempP@ssw0rd!2025

Change the default password immediately after first login. Refer to the Admin article for instructions on changing the administrator password.

Reviewing server logs:

If the application fails to start or clients cannot connect after installation, review the logs located in:

C:\Program Files\Blue Lance 2-0\LTA_EventLogCentral\logs

Check for:

Certificate loading failures
Port conflicts on 52965 or 52966
Database connectivity errors
TLS negotiation failures
Service startup issues

Password requirements:

When changing the default password or creating new user accounts, passwords must meet the following requirements:

Requirement	Detail
Minimum length	10 characters
Uppercase letters	At least one (A-Z)
Lowercase letters	At least one (a-z)
Digits	At least one (0-9)
Special characters	At least one (!@#$%^&*)

Installing EventLogAgent

peter thomas — Tue, 02 Jun 2026 23:20:38 +0000

EventLogAgent is the lightweight Windows service deployed on each server or workstation you want to monitor. Each agent connects to the EventLogCentral server to retrieve its assigned configuration and forwards collected events directly to LT Auditor ^MP or the configured syslog destination. The agent must be installed individually on every Windows machine in scope for monitoring.

Prerequisites:

Before installing the agent, confirm the following:

The EventLogCentral server is installed and running
The EventLogCentral login page is accessible at https://:52966
If using self-signed certificates, the ltaeventlog.cer file has been copied from the EventLogCentral server and is available on the agent machine
Local administrator privileges are available on the target machine

Step 1 — Download and prepare the installation package:

Download the following installation package:

lta-mp-eventlogagent.zip

If the ZIP file was downloaded from the internet:

Right-click the ZIP file
Select Properties
Click Unblock if present
Click Apply

Extract the contents of the ZIP file to a temporary folder.

Step 2 — Run the installer:

Locate the installer in the extracted folder:

LTA_EventLogAgent.msi

Right-click the MSI file and select Run as Administrator.

The installation runs silently and installs to the default location:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent

Step 3 — Configure the agent:

After installation, update the agent configuration file:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\appsettings.json

Locate and update the following setting:

“ServerUrl”: “https://:52966”

Replace with the hostname or IP address of your EventLogCentral server.

The agent uses this URL to:

Retrieve audit configuration updates
Download audit policies
Receive forwarding instructions
Synchronize group assignments

Step 4 — Configure self-signed certificate trust:

If the EventLogCentral server is using the auto-generated self-signed certificate, the agent must be configured to trust it before it can communicate with the server.

Copy the following file from the EventLogCentral server to the agent machine:

ltaeventlog.cer

Place the file in the following folder on the agent machine:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\certs

Open an elevated PowerShell window and run the following script:

.\Install-Rootcert.ps1

The script imports the certificate into:

Cert:\LocalMachine\Root

This allows the EventLogAgent service to trust the EventLogCentral server certificate.

If your organization uses a custom CA-signed certificate on the EventLogCentral server, this step may not be required — confirm with your administrator.

Step 5 — Restart the agent service:

After updating the configuration file and installing the certificate, restart the EventLogAgent service to apply the changes:

Restart-Service LTA_EventLogAgent

Or restart via the Services console (services.msc):

Locate LT Auditor ^MP Event Log Agent Service
Click Restart

Step 6 — Verify agent registration:

After the service starts, confirm the agent has successfully registered with the EventLogCentral server:

Log in to the EventLogCentral web interface at https://:52966
Navigate to Clients in the left navigation menu
Confirm the new agent appears in the client list
Confirm the client status shows Online

Reviewing agent logs:

If the agent does not appear in the EventLogCentral client list or shows as offline, review the agent log files:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs

Verify the logs show:

Successful server connection
Configuration synchronization
Group assignment retrieval
Event forwarding initialization

Review logs for:

TLS or certificate errors
Connectivity failures to the EventLogCentral server
Authentication errors
Configuration synchronization issues

Deploying agents across multiple machines:

The EventLogAgent must be installed individually on each Windows machine you want to monitor. For large deployments, consider using one of the following methods to automate agent installation:

Group Policy — distribute the MSI package via Group Policy software installation
SCCM / Microsoft Endpoint Manager — deploy the MSI package as an application
Other enterprise deployment tools — use supported MSI command line parameters for silent installation

[Your administrator should document the deployment method used in your environment and the MSI parameters used for silent or automated installations.]

Account lockout policy:

Be aware of the following security settings that apply to the EventLogCentral web interface:

Setting	Value
Failed login attempts before lockout	5
Lockout duration	15 minutes
Session inactivity timeout	60 minutes