Quick Start Guide;
For Splunk Universal Forwarder and Splunk Cloud
This document details the procedure for manually installing Layer8
software agents, and forwarding data to an existing Splunk Enterprise
or Splunk Cloud installation utilizing the Splunk Universal Forwarder.
Contents
1. Introduction to Layer8 2. Layer8 Components
3. Hardware & Software Prerequisites 4. User Account Configuration Steps 5. Installation & Removal
6. License Keys
7. Troubleshooting & Technical Support
About This Quick Start Guide
This guide provides information to manually install Layer8 agents via a supplied batch file, which can be useful for testing a small group of systems.
This guide provides details for customers who already use Splunk Enterprise or Splunk Cloud, and have already deployed or wish to deploy the Splunk Universal Forwarder to endpoints.
For deployments of Layer8 agents via Group Policy, SCCM or other standard MSI deployment tools, please consult the Layer8 Advanced Install Guide.
NOTE: Splunk Cloud and Splunk Universal Forwarder
Layer8 is supplied with its own built in data Forwarder Service.
When using only the Layer8 forwarder, only Layer8 data is collected.
If you are using the Splunk Universal Forwarder, the supplied Layer8 forwarder relays data onto the Splunk Universal Forwarder for delivery to the Splunk server alongside other data you may be collecting.
1. Introduction to Layer8
Layer8 from Logfiller measures the actual usage and User Experience of all Windows based systems, logon delays, applications and web services.
From Logon to Logoff and everything in between, Layer8’s patent pending technology provides unique insights that also complement machine data sources.
2. Layer8 Components
Layer8 generates data via an installed agent, a data forwarder service and web browser extensions installed on each Windows endpoint / server.
The following are included as standard MSI packages in the Layer8 installation download;
a) Layer8 User Experience Meter Agent (“uxmtr”)
b) Layer8 Forwarder Service (“dcac”)
c) Layer8 Web Browser extensions for IE and Chrome
Both agents (“uxmtr” and “dcac”) are required for all installation endpoints. The browser extensions are optional.
3. Hardware & Software Prerequisites
Layer8 can be installed on any system which runs Windows XP and higher, 32-bit or 64-bit,
physical or virtual, servers, workstations or laptops. Standalone and domain users are supported.
Microsoft Windows – XP/SP3, 2003/SP2, Vista, 2008, 2008R2, 2012, 2012 R2, 7, 8, 8.1+, 10
Microsoft Terminal Services / Microsoft Remote Desktop Services servers Virtualization platforms - Citrix XenApp, XenDesktop, VMware Horizon, Hyper-V RAM Usage – 2MB to 6MB
Processor usage – negligible.
Disk Space - average of 0.2MB to 1MB per day of temporary per user
One or more Web Browsers e.g. Internet Explorer, Chrome or Firefox
For reporting: Splunk Enterprise, Splunk Cloud, or any other SIEM / Log Manager solution
Other than Windows, there are NO other software prerequisites i.e. there is no
4. User Account Configuration Steps
In order to calculate Logon Delays Layer8 needs to be able to read the local Windows Security Event Log. There are two ways to approach this, dependent on whether the endpoints you are deploying to are running Windows XP or Windows Vista and above.
NOTE: If deploying across a network with Active Directory, changes can be made to Group Policy
as needed. Consult the Layer8 Advanced Install Guide for instructions using this method.
Windows XP
Procedure: As a Local Administrator, open a command prompt or click "Start” “Run" and enter
“secpol.msc”
In the "Local Security Settings" window, expand “Local Policies” “Audit Policy” “Audit Logon Events”, enable “Success”
In the "Local Security Settings" window, expand “User Rights Assignment” “Manage
auditing and security log”, double-click and add “Domain Users” or ”Everyone” as required
Close the "Local Security Settings" window
Windows Vista and above
Procedure: As a Local Administrator, open a command prompt or click "Start” “Run" and enter “lusrmgr.msc”
In the "Local Users and Groups" window, double-click "Groups" "Event Log Readers"
"Add". Enter the local username to add (eg. Domain Users/Everyone). Click "Check Name" then "OK" "OK" and close the "Local Users and Groups" window.
5. Installation & Removal
The key steps for manually installing Layer8 agents are as follows:
Configure Splunk Cloud (if used)
Download and install the “Layer8 App for Splunk” into Splunk Cloud OR Splunk Enterprise
Install and configure the Splunk Universal Forwarder
Install the Layer8 agents
Configure Splunk Cloud
If required create a Splunk Cloud trial environment at http://splunk.com
Install the “Layer8 App for Splunk” in Splunk (Cloud OR Enterprise)
Click “Apps” “Manage Apps” “Install App from file” and select the “Layer8 App for
Splunk” file from the Layer8 installation package
For Splunk Cloud only, go to “Settings” “Forwarding and Receiving” “Configure Receiving” and click “ENABLE”.
Install Splunk Universal Forwarder on Endpoints
Deployment of the Splunk Universal Forwarder onto endpoints is NOT covered in this guide. There are multiple options and configuration settings. Please consult Splunk documentation. Once installed, the Splunk Universal Forwarder must be configured to look for Layer8 generated data on the endpoint.
Edit the INPUTS.CONF File
The following entries need to be added to the “inputs.conf” file, which is normally located at “C:\Program Files\SplunkUniversalForwarder\etc\system\local”
[monitor://$allusersprofile\logfiller\lf-data] disabled = false
sourcetype=LogfillerData index=Logfiller
[monitor://$allusersprofile\logfiller\lf-alerts] disabled = false
sourcetype=LogfillerAlerts index=Logfiller
[monitor://$allusersprofile\Application Data\logfiller\lf-data] disabled = false
sourcetype=LogfillerData index=Logfiller
[monitor://$allusersprofile\Application Data\logfiller\lf-alerts] disabled = false
sourcetype=LogfillerAlerts index=Logfiller
Edit the OUTPUTS.CONF File
Next, if using Splunk Cloud, the Splunk Universal Forwarder must be configured to send the Layer8 data from the endpoints to the Splunk Cloud service. The following (sample) entries need to be added to the “outputs.conf” file, which is normally located at:
“C:\Program Files\SplunkUniversalForwarder\etc\system\local”
[tcpout]
defaultGroup = sandbox [tcpout:sandbox]
server = input-YOUR.SPLUNKACCOUNT.HERE.splunktrial.com:9997 maxQueueSize = auto
disabled = false
NOTE: Your “outputs.conf” file may vary greatly. The above is for reference only. Consult the Splunk documentation for full deployment information.
Install the Layer8 Agents
The following describes installing via supplied batch file, for Group Policy, SCCM deployment consult the Advanced Install Guide.
Extract the Layer8 software package to any local, network drive letter or UNC share.
MANDATORY STEP 1: In the installation folder, rename the file
“config.UNIVERSALFORWARDER” to “config.ini”.
MANDATORY STEP 2: Using notepad or similar edit the supplied “Layer8_InstallAll.EDITTHIS”
file and specify the UNC path to the root of extracted Layer8 software folder. Save the file with a .BAT extension
Temporarily disable any anti-virus or other software / application blocking feature which
may interfere with installation.
As a Local Administrator, open a command prompt and change directory to the Layer8 installation folder.
Run the “Layer8_InstallAll” batch file.
Start Internet Explorer, Firefox and Chrome and enable / allow the “Layer8” extension /
add-on when prompted (or enforce via group policy).
Login to Splunk and analyze your collected data using the supplied for Splunk Dashboards
& reports.
NOTE: You can check everything is installed and working by viewing the “Layer8 Status Page”
available by clicking “Start” “Program Files” “Logfiller” “Layer8 Status Page”.
Removing the Layer8 Agents
6. License Keys
Trial and Permanent License Keys
When you install Layer8 a trial license key is provided which allows data generation for 30 days. When you purchase Layer8 you will be provided with a License key in the form of a LICENSE.INI file.
To publish the License key, simply copy the supplied file into the central deployment folder. For example, copy LICENSE.INI into;
\\myserver\layer8\
7. Troubleshooting & Technical Support
Layer8 on Client Systems
For troubleshooting missing / non-reported Layer8 data:
Check that anti-virus or other endpoint protection software (including Windows 8 Defender or SmartScreen) has not disabled or blocked installation of the Layer8 agents.
On the client computer, click “Start” “Program Files” “Logfiller” “Layer8 Status Page”
or in any web browser, enter the URL http://127.0.0.1:50291/status?99. This status page will provide details on the Layer8 agent configurations, data upload status, errors, licensing and more.
If the Status Page is not available, open the Windows Event Viewer. Layer8 reports
successful program startup, configuration, and any license or policy errors to the Application Log and/or the Logfiller Log.
For missing “Logon Delay Times”, verify the policies and group permissions from Section 4
are correctly configured.
A correctly-configured system will show the following Logon Delay calculation in the local
Windows Logfiller Application Event Log – note the three “uxmtr” source events, the Logon Delay will be the third event generated immediately after the user logs onto their machine.
Visit http://support.logfiller.com for further KB’s and other information.
Splunk Cloud / Splunk Universal Forwarder
Please consult the Splunk Answers KB's at http://splunk.com for issues relating to Splunk Cloud and Splunk Universal Forwarder.
The following troubleshooting steps may be of use:
Check the firewall ports are open and allow the Splunk Universal Forwarder to send data to the Splunk Cloud.
In the Splunk Cloud account, make sure you have enabled the receiver, and port 9997 is configured.
Check the Splunk Universal Forwarder logs for errors. These are normally located in
