Advanced Install & Configuration Guide

Advanced Install & Configuration Guide This document details advanced installation and configuration options for Layer8 software agents. Delivered as standard MSI packages, Layer8 deployment can be made via AD Group Policy, SCCM or other deployment tool. Version: 3.5

Contents 1. Introduction to Layer8 2. Layer8 Components 3. Hardware & Software Prerequisites 4. Installation & Removal 5. License Keys 6. Troubleshooting & Technical Support 7. Advanced CONFIG parameters About This Advanced Install Guide This guide provides information to automatically install Layer8 agents via Microsoft AD Group Policy. Deployment can also be made using any other tool which supports standard MSI packages. This guide also provides details to use Splunk reporting software which enables fast, immediate evaluation of Layer8 data via a wide range of supplied dashboards & reports. Additionally, Layer8 can be configured to simultaneously send data to virtually any reporting, BI, analytics, SIEM, Log manager, ITIL or other software or database which accepts a standard data input. Please contact us for details. NOTE: Splunk Enterprise For fast viewing of data, Layer8 utilizes Splunk Enterprise, a data analytics tool which is free for analyzing 500MB of data per day, sufficient for between 1000-2500 Layer8 users. If you are already using Splunk Enterprise or Splunk Cloud edition and you wish to use Splunk s own Universal Forwarder, please consult the Quick Start Guide Using the Splunk Universal Forwarder. NOTE: Citrix XenApp / XenDesktop, Hyper-V, VMware Horizon, MS RDS. There are some additional configuration steps required when deploying Layer8 to virtualized desktop or virtualized applications. Please review the Layer8 Virtualization Installation Guide for additional information. Layer8 is certified Citrix Ready. http://logfiller.com Page 2

1. Introduction to Layer8 Layer8 from Logfiller measures the actual usage and User Experience of all virtual and physical Windows systems, generating data on logon delays, applications and web services, From Logon to Logoff and everything in between, Layer8 s patent pending technology provides unique insights that complement machine data sources. 2. Layer8 Components Layer8 generates data via an installed agent, a data forwarder service and web browser extensions installed on each physical or virtual Windows based endpoint / server. The following are included as standard MSI packages in the Layer8 installation download: a) Layer8 User Experience Meter Agent ( uxmtr ) b) Layer8 Forwarder Service ( dcac ) c) Layer8 Web Browser extensions for IE, Chrome and Firefox Both agents ( uxmtr and dcac ) are required for all installation endpoints. The web browser extensions are optional. 3. Hardware & Software Prerequisites Layer8 can be installed on any system which runs Windows XP and higher, 32-bit or 64-bit, physical or virtual, servers, workstations or laptops. Standalone and domain users are supported. Microsoft Windows XP/SP3, 2003/SP2, Vista, 2008, 2008R2, 2012, 2012 R2, 7, 8, 8.1+, 10 Microsoft Terminal Services / Microsoft Remote Desktop Services servers Virtualization platforms - Citrix XenApp, XenDesktop, VMware Horizon, HyperV RAM Usage 2MB to 6MB per installed user agent Processor usage negligible. Disk Space - average of 0.2MB to 1MB per day, per user (temporary) One or more Web Browsers e.g. Internet Explorer, Chrome or Firefox. For reporting: Splunk Enterprise, Splunk Cloud (or any other SIEM / Log Manager) Other than Windows, there are NO other software prerequisites i.e. there is no requirement for Java,.NET, Javascript etc. installed on any system http://logfiller.com Page 3

4. Installation & Removal The key steps for manually installing Layer8 agents are as follows: Download, install and configure Splunk Enterprise Install the Layer8 App for Splunk in Splunk Enterprise Prepare the Layer8 UNC share Enable Read Security Event Logs & Audit Logon Events Create the Group Policy Installation Objects Download, Install & Configure Splunk Enterprise Download Splunk Enterprise from http://splunk.com and install it. Install the Layer8 App for Splunk into Splunk Click Apps Manage Apps Install App from file and select the Layer8 App for Splunk file from the Layer8 installation package http://logfiller.com Page 4

Prepare the Layer8 UNC Share Extract the Layer8 download software package to a network-accessible UNC share. MANDATORY STEP Edit the supplied config.ini file from the Layer8 installation folder and add the IP address of your Splunk server in both the DataOutput#1 and AlertOutput#1 sections. Enable Read Security Event Logs & Audit Logon Events Start Group Policy Management Editor and edit the Default Domain Policy 1. Computer Configuration Policies Windows Settings Security Settings Local Policies Security Options Disable Audit: Force audit policy subcategory settings http://logfiller.com Page 5

2. Computer Configuration Policies Windows Settings Security Settings Local Policies Audit Policy Enable Audit logon events for both Success and Failure 3. Computer Configuration Policies Windows Settings Security Settings Local Policies User Right Assignment Enable Manage auditing and security log http://logfiller.com Page 6

Define the User Groups needed for the deployment http://logfiller.com Page 7

Create the Group Policy Installation Objects Start Group Policy Management Editor and expand the Domain. Right-click on Group Policy Objects New, enter the name Layer8 Deployment OK. Leave Source Starter GPO as (none). In the left pane, right-click on your domain in the tree, click Link an Existing GPO and choose Layer8 Deployment from the list. In the left pane, under your domain, right-click on the newly created Layer8 Deployment Edit Computer Configuration Policies Software Settings. Right-click on Software Installation New Package and browse the UNC share name to the following MSI s: Layer8_Agent_Setup.msi Optionally: Layer8ExtensionForIESetup.msi Layer8ExtensionForChromeSetup.msi Layer8ExtensionForFFSetup.msi NOTE: When adding the packages, select Assigned as the Deployment Method, so that the software is installed automatically. After deployment, reboot the computers and start using it as normal. Start Internet Explorer, Chrome and Firefox enable / allow the Layer8 extension / add-on when prompted. Login to Splunk and analyze your collected data using the supplied for Splunk Dashboards & reports. http://logfiller.com Page 8

NOTE: You can check everything is installed and working by viewing the Layer8 Status Page available by clicking Start Program Files Logfiller Layer8 Status Page on a computer with Layer8 installed. Removing the Layer8 Agents Start Group Policy Management Editor and expand the Domain. In the left pane, under your domain, right-click Layer8 Deployment Edit Computer Configuration Policies Software Settings. Right-click on Software Installation All Tasks Remove and select a preferred removal method: http://logfiller.com Page 9

5. License Keys Trial and Permanent License Keys When you install Layer8 a trial license key is provided which allows data generation for 30 days. When you purchase Layer8 you will be provided with a License key in the form of a LICENSE.INI file. To publish the License key, simply copy the supplied file into the central deployment folder. For example, copy LICENSE.INI into; \\myserver\layer8\ On next restart, or policy refresh your client computers will pick up this new license key. http://logfiller.com Page 10

6. Troubleshooting & Technical Support Layer8 on Client Systems For troubleshooting missing / non-reported Layer8 data: Confirm that clients are sending data to the correct Splunk server IP address as specified in the Layer8 "config.ini" file and inspect the Logfiller Status Page on each client to see if the "Successful Data Upload" messages appear On the client computer, click Start Program Files Logfiller Layer8 Status Page or in any web browser, enter the URL http://127.0.0.1:50291/status?99. This status page will provide details on the Layer8 agent configurations, data upload status, errors, licensing and more. If the Status Page is not available, open the Windows Event Viewer. Layer8 reports successful program startup, configuration, and any license or policy errors to the Application Log and/or the Logfiller Log. http://logfiller.com Page 11

For missing Logon Delay Times, verify the policies and group permissions from Section 4 are correctly configured. Check that anti-virus or other endpoint protection software (including Windows Defender or SmartScreen) has not disabled or blocked installation of the Layer8 agents. Visit http://support.logfiller.com for further KB s and other information. Splunk Enterprise Please consult the Splunk Answers KB's at http://splunk.com for all issues relating to Splunk Enterprise The following troubleshooting steps to be of use: Check the firewall ports are open and allow clients to send data via the chosen protocol Confirm the Layer8 App for Splunk has been configured correctly to match the configuration settings of the Layer8 agents Click Settings Indexes and make sure the Logfiller index is listed and enabled. If it is not listed or enabled, contact your Splunk administer and confirm the Layer8 App is installed properly. Consider checking the file/directory permissions on the Splunk Enterprise server if the index is listed and enabled but no data appears to be indexed. http://logfiller.com Page 12

7. Advanced CONFIG Options Advanced Configuration of Layer8 on Client Systems There are a number of optional CONFIG.INI parameters that can be used to customize the deployment for your organization. Section / Parameter Type Description Example [dcacconfig] section Contains parameters specific to the Layer-8 data collection and forwarding service DebugOutput boolean Controls debug output to dbgview. -1 Default value: 0-1 = on 0 = off StatusReport boolean Controls the DCAC browser based status report at http://127.0.0.1:50291/status:99. 0 Default value: -1-1 = enabled 0 = disabled DailyOpsLog boolean Controls debug output to a DailyOpsLog file. 0 Default value: 0-1 = on 0 = off DataFolderMaxSize integer The maximum size, in KB, the data folder is allowed to grow to. A value of zero does limit the size of the folder. RetryFolderMaxSize Integer The maximum size, in KB, the retry folder is allowed to grow to. A value of zero does limit the size of the folder AlertsFolderMaxSize integer The maximum size, in KB, the alerts folder is allowed to grow to. A value of zero does limit the size of the folder 10000 10000 10000 UploadInterval integer The default data upload interval in 15 http://logfiller.com Page 13

seconds. Default value = 15 [DataOutput#1] section The first data output configuration section (there must be at least one and there can be up to 99). DataCollectionScope string The MeterName that applies to this section, or All for all meters. Default value = All All WaitTimeMeter;LogonDela ymeter Valid values are (multiple values are separated by ; ): All DesktopAppMeter WaitTimeMeter LogonDelayMeter LogoffDelayMeter PageLoadMeter DialogueBoxMeter Default value: All Protocol string The protocol for the data upload. Valid options are: Default value: blank HTTP TCP FTP SYSLOG EVENTLOG LOCALFILE FILEAPPEND DataFormat string The data format for the data upload. Valid options are: Default value: NVP XML NVP CSV JSON XML-AllFields NVP-AllFields CSV-AllFields http://logfiller.com Page 14

JSON-AllFields Folder string Folder name (only applies for FTP and file based Protocols) Default value: blank MyData (Notes: + For the LocalFile or FileAppend creates a MyData folder under the default %programdata%layer8- Data folder + For the FTP Protocol send the data to the folder name on the FTP server Address string IP or DNS address of receiving computer. No default value. Default value: blank Port integer Target port on the receiving computer. L8ConfigServer or 211.211.34.56 82 No default value. Username string The optional username for the FTP Protocol. MyUsername Default value: blank Password string The optional username for the FTP Protocol. MyPassword Default value: blank [AlertOutput#1] section The first Alert output configuration section (there must be at least one and there can be up to 99). AlertCollectionScope string The MeterName that applies to this section, or All for all meters. Valid values are (multiple values are separated by ; ): All WaitTimeMeter;LogonDela ymeter Default value: All All Alerts DialogueBoxMeter http://logfiller.com Page 15

Protocol string The protocol for the Alert upload. Valid options are: Default value: blank HTTP TCP FTP SYSLOG EVENTLOG LOCALFILE FILEAPPEND Folder string Folder name (only applies for FTP and file based Protocols). Default value: blank MyAlert (Notes: For the LocalFile or FileAppend creates a a MyAlert folder under the default %programalert%layer8- Alert folder For the FTP Protocol send the Alert to the folder name on the FTP server Note: re DataFormat. Alerts are formatted using string templates, see below Address string L8ConfigServer or 211.211.34.56 Port intege r Target port on the receiving computer. Default value: 0 82 Username string The optional username for the FTP Protocol. MyUsername Default value: blank Password string The optional username for the FTP Protocol. MyPassword [uxmtrconfig] sectio n Default value: blank Contains parameters specific to the uxmtr data acquisition program http://logfiller.com Page 16

DebugOutput boole an Controls debug output to dbgview. Default value: 0-1 = on 0 = off 0 IncludeWindowTitle boole an When true window titles are included in the data and alert event. -1 Default value: -1-1 = on 0 = off. IncludeIPAddress Boole an When true IP address are included in the data and alert event. -1 Default value: -1. -1 = on 0 = off IncludeURL boole an When true URLS are included in the data and alert event. -1 Default value: -1. -1 = on 0 = off BrowserExes string The names of executables which identify browsers.to Layer8. NonBrowserExcludeExes string The names of executables to be ignored by Layer8. iexplore.exe; firefox.exe; chrome.exe; safari.exe Mydocreader.exe Default value: blank EnabledMetersForData string The names of the meters to enable for data collection. Default value: All EnabledMetersForAlerts string The names of the meters to enable for alert collection. Default value: All All WaitTimeMeter;LogonDela ymeter All Alerts [commonconfig] sectio The common configuration section used by all endpoint http://logfiller.com Page 17

n components DistServerAddress string The IP address or DNS name of the Layer8 distribution server, the server running the Layer8WebServer plus optional port no. Layer8-Dist-Server:82 or 211.211.34.56:102 Default value: blank ErrorEventLog boole an Controls error messages sent to the layer8-error log in the windows event log: -1 Default value: -1-1 = enabled 0 = disabled AnonymizeAllNames boole an Anonymize all names captured on the endpoint i.e. User, Domain and Computer. -1 Default value: -1. -1 = on 0 = off AnonymizeComputerNames boole an Anonymize computer names captured on the endpoint. -1 Default value: -1. -1 = on 0 = off AnonymizeDomainNames boole an Anonymize domain names captured on the endpoint. -1 Default value: -1. -1 = on 0 = off AnonymizeUserNames boole an Anonymize user names captured on the endpoint. -1 Default value: -1. -1 = on 0 = off LogonDelayTimeLowReadingC utoff The Logon Delay low reading cut-off 1 http://logfiller.com Page 18

Default value: 1. LogonDelayTimeHighReadingC utoff The Logon Delay high reading cut-off 300 Default value: 300. LogonDelayTimeAlertThreshol d The Logon Delay alert threshold in seconds for Logon Delays. 10 Default value: 10. LogonDelayTimeAlertTemplat e string The Logon Delay alert template in seconds for Logon Delays. Default value: See example column Alert=LogonDelayTooLon g AlertValue=%logondelay% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogonID="%logonid%" LogoffDelayTimeLowReadingC utoff The Logoff Delay low reading cut-off 1 Default value: 1. LogoffDelayTimeHighReading CutOff The Logoff Delay high reading cut-off 300 Default value: 300. LogoffDelayTimeAlertThreshol d The Logoff Delay alert threshold in seconds for Logoff Delays. 10 Default value: 10. LogoffDelayTimeAlertTemplat e string The Logoff Delay alert template in seconds for Logoff Delays. Default value: See example column Alert=LogoffDelayTooLon g AlertValue=%Logoffdelay % AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" AppActiveTimeTimeLowReadi ngcutoff The Active Time low reading cut-off 1 http://logfiller.com Page 19

Default value: 1 AppActiveTimeTimeHighReadi ngcutoff The Active Time high reading cut-off -1 Default value: -1. (-1 = no limit) AppActiveTimeTimeAlertThres hold The Active Time alert threshold in seconds for Active Times. -1 Default value: -1 AppActiveTimeTimeAlertTemp late string The Active Time alert template in seconds for Active Times. Default value: See example column Alert=ActiveTimeTooLong AlertValue=%ActiveTime% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" AppWaitTimeTimeLowReading CutOff The Wait Time low reading cut-off 0.1 Default value: 0.1 AppWaitTimeTimeHighReadin gcutoff The Wait Time high reading cut-off 300 Default value: 300. (-1 = no limit) AppWaitTimeTimeAlertThresh old The Wait Time alert threshold in seconds for Wait Times. 10 Default value: 10. AppWaitTimeTimeAlertTempla te string The Wait Time alert template in seconds for Wait Times. Default value: See example column Alert=WaitTimeTooLong AlertValue=%WaitTime% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" PageLoadTimeLowReadingCut Off The Page Load low reading cut-off 1 Default value: 1. PageLoadTimeHighReadingCu The Page Load high reading cut-off 300 http://logfiller.com Page 20

toff Default value: 300. (-1 = no limit) PageLoadTimeAlertThreshold The Page Load alert threshold in seconds for Page Loads. 10 Default value: 10. PageLoadTimeAlertTemplate string The Page Load alert template in seconds for Page Loads. Default value: See example column Alert=PageLoadTooLong AlertValue=%PageLoad% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" DialogueBoxTimeLowReading CutOff The Dialogue Box low reading cut-off 0 Default value: 0. DialogueBoxTimeHighReading CutOff The Dialogue Box high reading cut-off 0 Default value: 0. (-1 = no limit) DialogueBoxTimeAlertThresho ld The Dialogue Box alert threshold in seconds for Dialogue Boxes. 0 Default value: 0. DialogueBoxTimeAlertTemplat e string The Dialogue Box alert template in seconds for Dialogue Boxes. Default value: See example column Alert=DialogueBox WindowTitle="%windowtit le%" ExeName="%exename%" ComputerName="%comp utername%" WindowClass="%windowc lass%" LogonID="%logonid%" Data Transformation Layer8 V3.5 introduced the ability to transform window title and url field data at source by modifying entries in the [dcacconfig] section of the config.ini http://logfiller.com Page 21

Simple window title and url field text replacements can be made for each of the output formats (CSV, NVP, XML, JSON) in the form [original text] --> [replacement text] Non-printable characters can be represented in their equivalent unicode 2 digit hex numeric character code proceeded by the % character e.g. carriage return = %0D line feed = %0A etc For instance to replace the double quote character " with an escape sequence of \", for NVP formatted output, the dcac config entry will be NVPTransform=" --> \" Note: if a transform contains the % character followed by a number then hash but be represented in it unicode hex numeric form e.g. %20 (space) Examples of data transforms in a config.ini: ; DataTransformsEnabled=-1 enables the data transforms below DataTransformsEnabled=-1 ; The following replaces double quotes with two quotes in csv files for window title and url text CSVTransform#1=" --> '' ; The following replaces the upper case umlaut character with the text big umlaut, surrounded by spaces, in csv files for window title and url text CSVTransform#2=Ö --> %20big umlaut%20 ; The following replaces the lower case umlaut character with the text small umlaut, surrounded by spaces, in csv files for window title and url text CSVTransform#3=%C3%B6 --> %20small umlaut%20 ; The following replaces double quotes with two quotes in nvp files for window title and url text NVPTransform#1=" --> '' http://logfiller.com Page 22