Blue Lance

Bluelance 2.0
Get a demo
View Categories

Installing EventLogAgent

2 min read

EventLogAgent is the lightweight Windows service deployed on each server or workstation you want to monitor. Each agent connects to the EventLogCentral server to retrieve its assigned configuration and forwards collected events directly to LT Auditor MP or the configured syslog destination. The agent must be installed individually on every Windows machine in scope for monitoring.

Prerequisites:

Before installing the agent, confirm the following:

  • The EventLogCentral server is installed and running
  • The EventLogCentral login page is accessible at https://<server-name>:52966
  • If using self-signed certificates, the ltaeventlog.cer file has been copied from the EventLogCentral server and is available on the agent machine
  • Local administrator privileges are available on the target machine

Step 1 โ€” Download and prepare the installation package:

Download the following installation package:

lta-mp-eventlogagent.zip

If the ZIP file was downloaded from the internet:

  1. Right-click the ZIP file
  2. Select Properties
  3. Click Unblock if present
  4. Click Apply

Extract the contents of the ZIP file to a temporary folder.

Step 2 โ€” Run the installer:

Locate the installer in the extracted folder:

LTA_EventLogAgent.msi

Right-click the MSI file and select Run as Administrator.

The installation runs silently and installs to the default location:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent

Step 3 โ€” Configure the agent:

After installation, update the agent configuration file:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\appsettings.json

Locate and update the following setting:

“ServerUrl”: “https://<server-address>:52966”

Replace <server-address> with the hostname or IP address of your EventLogCentral server.

The agent uses this URL to:

  • Retrieve audit configuration updates
  • Download audit policies
  • Receive forwarding instructions
  • Synchronize group assignments

Step 4 โ€” Configure self-signed certificate trust:

If the EventLogCentral server is using the auto-generated self-signed certificate, the agent must be configured to trust it before it can communicate with the server.

  1. Copy the following file from the EventLogCentral server to the agent machine:

ltaeventlog.cer

  1. Place the file in the following folder on the agent machine:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\certs

  1. Open an elevated PowerShell window and run the following script:

.\Install-Rootcert.ps1

The script imports the certificate into:

Cert:\LocalMachine\Root

This allows the EventLogAgent service to trust the EventLogCentral server certificate.

If your organization uses a custom CA-signed certificate on the EventLogCentral server, this step may not be required โ€” confirm with your administrator.

Step 5 โ€” Restart the agent service:

After updating the configuration file and installing the certificate, restart the EventLogAgent service to apply the changes:

Restart-Service LTA_EventLogAgent

Or restart via the Services console (services.msc):

  1. Locate LT Auditor MP Event Log Agent Service
  2. Click Restart

Step 6 โ€” Verify agent registration:

After the service starts, confirm the agent has successfully registered with the EventLogCentral server:

  1. Log in to the EventLogCentral web interface at https://<server-name>:52966
  2. Navigate to Clients in the left navigation menu
  3. Confirm the new agent appears in the client list
  4. Confirm the client status shows Online

Reviewing agent logs:

If the agent does not appear in the EventLogCentral client list or shows as offline, review the agent log files:

C:\Program Files\Blue Lance 2-0\LTA_EventLogAgent\logs

Verify the logs show:

  • Successful server connection
  • Configuration synchronization
  • Group assignment retrieval
  • Event forwarding initialization

Review logs for:

  • TLS or certificate errors
  • Connectivity failures to the EventLogCentral server
  • Authentication errors
  • Configuration synchronization issues

Deploying agents across multiple machines:

The EventLogAgent must be installed individually on each Windows machine you want to monitor. For large deployments, consider using one of the following methods to automate agent installation:

  • Group Policy โ€” distribute the MSI package via Group Policy software installation
  • SCCM / Microsoft Endpoint Manager โ€” deploy the MSI package as an application
  • Other enterprise deployment tools โ€” use supported MSI command line parameters for silent installation

[Your administrator should document the deployment method used in your environment and the MSI parameters used for silent or automated installations.]

Account lockout policy:

Be aware of the following security settings that apply to the EventLogCentral web interface:

SettingValue
Failed login attempts before lockout5
Lockout duration15 minutes
Session inactivity timeout60 minutes

Powered by BetterDocs

Newsletter

Let's get started and
enjoy the power of LT Auditor MP

ยฉ Copyright , BLUE LANCE 2.0. All Rights Reserved.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by