Install Windows Agent

George Alpizar
George Alpizar
  • Updated

Overview

You can use this document to learn how to install the Edge Delta agent for your Windows-based operating system.

Edge Delta uses 64-bit or 32-bit MSI installation process.

Note

Before you deploy the agent, we recommend that you review the Review Agent Requirements document. 

Step 1: Create a Configuration and Download the Agent

  1. In the Edge Delta App, on the left-side navigation, click Data Pipeline, and then click Agent Settings.
  2. Click Create Configuration.
  3. Select Windows.
  4. Click Save.
  5. In the table, locate the newly created configuration, then click the corresponding vertical green ellipses, and then click Deploy Instructions.  
  6. Click Windows.
  7. In the window that appears, copy and paste the HTTPS URL into a web browser to download the package.
    • This window also displays your API key. Copy this key. You will need this key in a later step.

Step 2: Install the Agent

  1. Double-click the downloaded package, and then follow the on-screen instructions.
  2. During the installation process, you can change the installation directory where the agent will install. Based on your selected platform, the default path is Program Files or Program Files (x86).
  3. Enter the API key you copied earlier, and then follow the on-screen instructions to complete the installation.

Step 3: Configure the Agent

To configure the agent, you must access the installation directory and locate the following files:

  • The configuration file (config.yml)
  • The agent log file (edgedelta.log)

Review Example Configuration

The following example configuration displays a default configuration that can be deployed. 

You can comment (or uncomment) parameters as need, as well as populate appropriate values to create your desired configuration. 

 
#Configuration File Version (currently v1 and v2 supported)
version: v2

#Global settings to apply to the agent
agent_settings:
  tag: windows_onboarding
  log:
    level: info
  anomaly_capture_size: 1000
  anomaly_confidence_period: 30m


#Inputs define which datasets to monitor (files, containers, syslog ports, windows events, etc.)
inputs:
  system_stats:
    labels: "system_stats"
  winevents:
    - labels: "windows_events, application"
      channel: "Application"
    - labels: "windows_events, security"
      channel: "Security"
    - labels: "windows_events, system"
      channel: "System"
#  files:
#    - labels: "iis_logs"
#      path: "C:\\inetpub\\Logs\\LogFiles\\W3SVC1\\*.log"
#  ports:
#    - labels: "syslog_ports"
#      protocol: tcp
#      port: 1514

#Outputs define destinations to send both streaming data, and trigger data (alerts/automation/ticketing)
outputs:
  #Streams define destinations to send "streaming data" such as statistics, anomaly captures, etc. (Splunk, Sumo Logic, New Relic, Datadog, InfluxDB, etc.)
  streams:
    ##Sumo Logic Example
    #- name: sumo-logic-integration
    #  type: sumologic
    #  endpoint: "<ADD SUMO LOGIC HTTPS ENDPOINT>"

    #Splunk Example
    #- name: splunk-integration
    #  type: splunk
    #  endpoint: "<ADD SPLUNK HEC ENDPOINT>"
    #  token: "<ADD SPLUNK TOKEN>"

    ##Datadog Example
    #- name: datadog-integration
    #  type: datadog
    #  api_key: "<ADD DATADOG API KEY>"

    ##New Relic Example
    #- name: new-relic-integration
    #   type: newrelic
    #   endpoint: "<ADD NEW RELIC API KEY>"

    ##Influxdb Example
    #- name: influxdb-integration
    #  type: influxdb
    #  endpoint: "<ADD INFLUXDB ENDPOINT>"
    #  port: <ADD PORT>
    #  features: all
    #  tls:
    #    disable_verify: true
    #  token: "<ADD JWT TOKEN>"
    #  db: "<ADD INFLUX DATABASE>"

  ##Triggers define destinations for alerts/automation (Slack, PagerDuty, ServiceNow, etc)
  triggers:
    ##Slack Example
    #- name: slack-integration
    #  type: slack
    #  endpoint: "<ADD SLACK WEBHOOK/APP ENDPOINT>"


#Processors define analytics and statistics to apply to specific datasets
processors:
  cluster:
    name: clustering
    num_of_clusters: 50          # keep track of only top 50 and bottom 50 clusters
    samples_per_cluster: 2       # keep last 2 messages of each cluster
    reporting_frequency: 30s     # report cluster samples every 30 seconds

#Regexes define specific keywords and patterns for matching, aggregation, statistics, etc. 
  regexes:
    # Error level Windows logs
    - name: "win_err"
      pattern: "{\"level\":\"error\"}"
      trigger_thresholds:
        anomaly_probability_percentage: 95
    # Critical Windows logs
    - name: "win_crit"
      pattern: "{\"level\":\"critical\"}"
      trigger_thresholds:
        anomaly_probability_percentage: 95
    # Windows Update Failure
    - name: "win_update_err"
      pattern: "{\"eventId\":20}"
      trigger_thresholds:
        anomaly_probability_percentage: 95
    # Windows Logon Failure
    # Enable via GPO or locally with windows CMD.exe: Auditpol /set /category:"Logon/Logoff" /Success:enable /failure:enable
    - name: "win_logon_fail"
      pattern: "{\"eventId\":4625}"
      trigger_thresholds:
        anomaly_probability_percentage: 95
    # Windows PowerShell
    - name: "win_ps_warn"
      pattern: "{\"level\":\"warning\"}"
      trigger_thresholds:
        anomaly_probability_percentage: 95

#Workflows define the mapping between input sources, which processors to apply, and which destinations to send the streams/triggers to
workflows:

  system_stats_workflow:
    input_labels:
      - system_stats

  example_workflow:
    input_labels:
      - windows_events
    processors:
      - clustering
      - win_err
      - win_crit
      - win_update_err
      - win_logon_fail
      - win_ps_warn
    destinations:
      #- streaming_destination_a    #Replace with configured streaming destination
      #- streaming_destination_b    #Replace with configured streaming destination
      #- trigger_destination_a      #Replace with configured trigger destination
      #- trigger_destination_b      #Replace with configured trigger destination

Troubleshoot the Agent

To troubleshoot and check the status of the agent, use the Windows Services UI (services.msc) and the <installation_directory>\edgedelta.log file.

View Your Agent Version 

  1. In the Edge Delta App, on the left-side navigation, click Data Pipeline, and then click Pipeline Status
  2. Navigate to the Active Agents table.
  3. Review the Agent Version column for your corresponding agent. 

Upgrade the Agent

To upgrade the agent, you must run the installation command that you previously used to first deploy the agent. 

This action will cause the agent to restart (essentially reinstall). The upgrade process will take 30 seconds or less to complete. 

To locate the installation command: 

  1. In the Edge Delta App, on the left-side navigation, click Data Pipeline, and then click Agent Settings
  2. Locate the desired agent configuration, then under Actions, click the vertical ellipses, and then Deploy Instructions.
  3. Click Windows.
  4. Copy and run the command on your command line. 

Uninstall the Agent

To uninstall the agent via the command line (silent uninstall), run the following command in Powershell:

(Get-WmiObject -Query "SELECT * FROM Win32_Product WHERE Name like 'Edge Delta%'").uninstall()
Share this document