Advanced Install & Configuration Guide

(1)

Advanced Install & Configuration Guide

This document details advanced installation and configuration options

for Layer8 software agents.

Delivered as standard MSI packages, Layer8 deployment can be made

via AD Group Policy, SCCM or other deployment tool.

(2)

About This Advanced Install Guide

This guide provides information to automatically install Layer8 agents via Microsoft AD Group Policy. Deployment can also be made using any other tool which supports standard MSI packages. This guide also provides details to use Splunk reporting software – which enables fast, immediate evaluation of Layer8 data via a wide range of supplied dashboards & reports.

Additionally, Layer8 can be configured to simultaneously send data to virtually any reporting, BI, analytics, SIEM, Log manager, ITIL or other software or database which accepts a standard data input. Please contact us for details.

NOTE: Splunk Enterprise

For fast viewing of data, Layer8 utilizes Splunk Enterprise, a data analytics tool which is free for analyzing 500MB of data per day, sufficient for between 1000-2500 Layer8 users.

If you are already using Splunk Enterprise or Splunk Cloud edition and you wish to use Splunk’s own “Universal Forwarder”, please consult the “Quick Start Guide – Using the Splunk Universal Forwarder”.

NOTE: Citrix XenApp / XenDesktop, Hyper-V, VMware Horizon, MS RDS.

There are some additional configuration steps required when deploying Layer8 to virtualized desktop or virtualized applications. Please review the “Layer8 Virtualization Installation Guide” for additional information.

(3)

1. Introduction to Layer8

Layer8 from Logfiller measures the actual usage and User Experience of all virtual and physical Windows systems, generating data on logon delays, applications and web services,

From Logon to Logoff and everything in between, Layer8’s patent pending technology provides unique insights that complement machine data sources.

2. Layer8 Components

Layer8 generates data via an installed agent, a data forwarder service and web browser extensions installed on each physical or virtual Windows based endpoint / server.

The following are included as standard MSI packages in the Layer8 installation download: a) Layer8 User Experience Meter Agent (“uxmtr”)

b) Layer8 Forwarder Service (“dcac”)

c) Layer8 Web Browser extensions for IE, Chrome and Firefox

Both agents (“uxmtr” and “dcac”) are required for all installation endpoints. The web browser extensions are optional.

3. Hardware & Software Prerequisites

Layer8 can be installed on any system which runs Windows XP and higher, 32-bit or 64-bit,

physical or virtual, servers, workstations or laptops. Standalone and domain users are supported.  Microsoft Windows – XP/SP3, 2003/SP2, Vista, 2008, 2008R2, 2012, 2012 R2, 7, 8, 8.1+, 10  Microsoft Terminal Services / Microsoft Remote Desktop Services servers

(4)

4. Installation & Removal

The key steps for manually installing Layer8 agents are as follows:  Download, install and configure Splunk Enterprise

 Install the “Layer8 App for Splunk” in Splunk Enterprise  Prepare the Layer8 UNC share

 Enable Read Security Event Logs & Audit Logon Events  Create the Group Policy Installation Objects

Download, Install & Configure Splunk Enterprise

 Download Splunk Enterprise from http://splunk.com and install it.

Install the “Layer8 App for Splunk” into Splunk

(5)

Prepare the Layer8 UNC Share

 Extract the Layer8 download software package to a network-accessible UNC share.

 MANDATORY STEP Edit the supplied “config.ini” file from the Layer8 installation folder and add the IP address of your Splunk server in both the “DataOutput#1” and “AlertOutput#1” sections.

Enable Read Security Event Logs & Audit Logon Events

 Start Group Policy Management Editor and edit the Default Domain Policy

1. Computer Configuration  Policies  Windows Settings  Security Settings  Local Policies  Security Options  Disable “Audit: Force audit policy subcategory

(6)

2. Computer Configuration  Policies  Windows Settings  Security Settings  Local Policies  Audit Policy  Enable “Audit logon events” for both Success and Failure

(7)

(8)

Create the Group Policy Installation Objects

 Start Group Policy Management Editor and expand the Domain.

 Right-click on Group Policy Objects  New, enter the name “Layer8 Deployment”  OK. Leave “Source Starter GPO” as (none).

 In the left pane, right-click on your domain in the tree, click “Link an Existing GPO” and choose “Layer8 Deployment” from the list.

 In the left pane, under your domain, right-click on the newly created Layer8 Deployment  Edit  Computer Configuration  Policies  Software Settings. Right-click on Software Installation  New  Package  and browse the UNC share name to the following MSI’s:

 Layer8_Agent_Setup.msi  Optionally:

Layer8ExtensionForIESetup.msi Layer8ExtensionForChromeSetup.msi Layer8ExtensionForFFSetup.msi

NOTE: When adding the packages, select “Assigned” as the Deployment Method, so that the software is installed automatically.

 After deployment, reboot the computers and start using it as normal.

 Start Internet Explorer, Chrome and Firefox enable / allow the “Layer8” extension / add-on when prompted.

(9)

NOTE: You can check everything is installed and working by viewing the “Layer8 Status Page” available by clicking “Start” “Program Files”  “Logfiller”  “Layer8 Status Page” on a computer with Layer8 installed.

Removing the Layer8 Agents

 Start Group Policy Management Editor and expand the Domain.

(10)

5. License Keys

Trial and Permanent License Keys

When you install Layer8 a trial license key is provided which allows data generation for 30 days. When you purchase Layer8 you will be provided with a License key in the form of a LICENSE.INI file.

To publish the License key, simply copy the supplied file into the central deployment folder. For example, copy LICENSE.INI into;

\\myserver\layer8\

(11)

6. Troubleshooting & Technical Support

Layer8 on Client Systems

For troubleshooting missing / non-reported Layer8 data:

 Confirm that clients are sending data to the correct Splunk server IP address as specified in the Layer8 "config.ini" file and inspect the Logfiller Status Page on each client to see if the "Successful Data Upload" messages appear

 On the client computer, click “Start”  “Program Files”  “Logfiller”  “Layer8 Status Page” or in any web browser, enter the URL http://127.0.0.1:50291/status?99. This status page will provide details on the Layer8 agent configurations, data upload status, errors, licensing and more.

(12)

 For missing “Logon Delay Times”, verify the policies and group permissions from Section 4 are correctly configured.

 Check that anti-virus or other endpoint protection software (including Windows Defender or SmartScreen) has not disabled or blocked installation of the Layer8 agents.

 Visit http://support.logfiller.com for further KB’s and other information.

Splunk Enterprise

Please consult the Splunk Answers KB's at http://splunk.com for all issues relating to Splunk Enterprise

The following troubleshooting steps to be of use:

 Check the firewall ports are open and allow clients to send data via the chosen protocol  Confirm the Layer8 App for Splunk has been configured correctly to match the

configuration settings of the Layer8 agents

(13)

7. Advanced CONFIG Options

Advanced Configuration of Layer8 on Client Systems

There are a number of optional CONFIG.INI parameters that can be used to customize the deployment for your organization.

Section / Parameter Type Description Example

[dcacConfig] section Contains parameters specific to the Layer-8 data collection and

forwarding service

DebugOutput boolean Controls debug output to dbgview.

Default value: 0 -1 = on

0 = off

-1

StatusReport boolean Controls the DCAC browser based

status report at http://127.0.0.1:50291/status:99. Default value: -1 -1 = enabled 0 = disabled 0

DailyOpsLog boolean Controls debug output to a

DailyOpsLog file. Default value: 0 -1 = on

0 = off

0

DataFolderMaxSize integer The maximum size, in KB, the data

folder is allowed to grow to. A value of

(14)

seconds. Default value = 15

[DataOutput#1] section The first data output configuration section (there must be at least

one and there can be up to 99).

DataCollectionScope string The MeterName that applies to this

section, or All for all meters. Default value = All

Valid values are (multiple values are separated by ‘;’): All DesktopAppMeter WaitTimeMeter LogonDelayMeter LogoffDelayMeter PageLoadMeter DialogueBoxMeter Default value: All

All

WaitTimeMeter;LogonDela yMeter

Protocol string The protocol for the data upload. Valid

options are:

Default value: blank HTTP TCP FTP SYSLOG EVENTLOG LOCALFILE FILEAPPEND

DataFormat string The data format for the data upload.

(15)

JSON-AllFields

Folder string Folder name (only applies for FTP and

file based Protocols) Default value: blank

MyData (Notes:

+ For the LocalFile or FileAppend creates a MyData folder under the default

%programdata%Layer8-Data folder

+ For the FTP Protocol send the data to the folder name on the FTP server

Address string IP or DNS address of receiving

computer. No default value. Default value: blank

L8ConfigServer or 211.211.34.56

Port integer Target port on the receiving computer.

No default value.

82

Username string The optional username for the FTP

Protocol.

Default value: blank

MyUsername

Password string The optional username for the FTP

Protocol.

MyPassword

[AlertOutput#1] section The first Alert output configuration section (there must be at least

(16)

Protocol string The protocol for the Alert upload. Valid options are:

Default value: blank HTTP TCP FTP SYSLOG EVENTLOG LOCALFILE FILEAPPEND

Folder string Folder name (only applies for FTP and

file based Protocols). Default value: blank

MyAlert

(Notes: For the LocalFile or FileAppend creates a a MyAlert folder under the default

%programAlert%Layer8-Alert folder

For the FTP Protocol send the Alert to the folder name on the FTP server Note: re DataFormat. Alerts are formatted using string templates, see below

Address string L8ConfigServer or

211.211.34.56

Port intege

r

Target port on the receiving computer. Default value: 0

82

Username string The optional username for the FTP

Protocol.

MyUsername

Password string The optional username for the FTP

Protocol.

MyPassword

[uxmtrConfig] sectio

n

(17)

DebugOutput boole an

Controls debug output to dbgview. Default value: 0 -1 = on 0 = off 0 IncludeWindowTitle boole an

When true window titles are included in the data and alert event.

Default value: -1 -1 = on 0 = off. -1 IncludeIPAddress Boole an

When true IP address are included in the data and alert event.

Default value: -1. -1 = on 0 = off -1 IncludeURL boole an

When true URLS are included in the data and alert event.

Default value: -1. -1 = on

0 = off

-1

BrowserExes string The names of executables which

identify browsers.to Layer8.

iexplore.exe; firefox.exe; chrome.exe; safari.exe

NonBrowserExcludeExes string The names of executables to be

ignored by Layer8. Default value: blank

Mydocreader.exe

(18)

n components

DistServerAddress string The IP address or DNS name of the

Layer8 distribution server, the server running the Layer8WebServer plus optional port no.

Layer8-Dist-Server:82 or 211.211.34.56:102

ErrorEventLog boole

an

Controls error messages sent to the layer8-error log in the windows event log: Default value: -1 -1 = enabled 0 = disabled -1 AnonymizeAllNames boole an

Anonymize all names captured on the endpoint i.e. User, Domain and Computer. Default value: -1. -1 = on 0 = off -1 AnonymizeComputerNames boole an

Anonymize computer names captured on the endpoint. Default value: -1. -1 = on 0 = off -1 AnonymizeDomainNames boole an

Anonymize domain names captured on the endpoint. Default value: -1. -1 = on 0 = off -1 AnonymizeUserNames boole an

Anonymize user names captured on the endpoint. Default value: -1. -1 = on 0 = off -1 LogonDelayTimeLowReadingC utOff

single The Logon Delay low reading cut-off

threshold in seconds.

(19)

Default value: 1. LogonDelayTimeHighReadingC

utOff

single The Logon Delay high reading cut-off

threshold in seconds. Default value: 300.

300

LogonDelayTimeAlertThreshol d

single The Logon Delay alert threshold in

seconds for Logon Delays. Default value: 10.

10

LogonDelayTimeAlertTemplat e

string The Logon Delay alert template in

seconds for Logon Delays.

Default value: See example column…

Alert=LogonDelayTooLon g AlertValue=%logondelay% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogonID="%logonid%" LogoffDelayTimeLowReadingC utOff

single The Logoff Delay low reading cut-off

1

LogoffDelayTimeHighReading CutOff

single The Logoff Delay high reading cut-off

300

LogoffDelayTimeAlertThreshol d

single The Logoff Delay alert threshold in

seconds for Logoff Delays. Default value: 10.

10

LogoffDelayTimeAlertTemplat e

string The Logoff Delay alert template in

seconds for Logoff Delays.

(20)

Default value: 1 AppActiveTimeTimeHighReadi

ngCutOff

single The Active Time high reading cut-off

Default value: -1. (-1 = no limit)

-1

AppActiveTimeTimeAlertThres hold

single The Active Time alert threshold in

seconds for Active Times. Default value: -1

-1

AppActiveTimeTimeAlertTemp late

string The Active Time alert template in

seconds for Active Times.

Alert=ActiveTimeTooLong AlertValue=%ActiveTime% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" AppWaitTimeTimeLowReading CutOff

single The Wait Time low reading cut-off

threshold in seconds. Default value: 0.1

0.1

AppWaitTimeTimeHighReadin gCutOff

single The Wait Time high reading cut-off

Default value: 300. (-1 = no limit)

300

AppWaitTimeTimeAlertThresh old

single The Wait Time alert threshold in

seconds for Wait Times. Default value: 10.

10

AppWaitTimeTimeAlertTempla te

string The Wait Time alert template in

seconds for Wait Times.

Alert=WaitTimeTooLong AlertValue=%WaitTime% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" PageLoadTimeLowReadingCut Off

single The Page Load low reading cut-off

1

(21)

tOff threshold in seconds.

PageLoadTimeAlertThreshold single The Page Load alert threshold in

seconds for Page Loads. Default value: 10.

10

PageLoadTimeAlertTemplate string The Page Load alert template in

seconds for Page Loads.

Alert=PageLoadTooLong AlertValue=%PageLoad% AlertThreshold=%thresho ld% Unit=Seconds ComputerName="%comp utername%" LogoffID="%Logonid%" DialogueBoxTimeLowReading CutOff

single The Dialogue Box low reading cut-off

0

DialogueBoxTimeHighReading CutOff

single The Dialogue Box high reading cut-off

0

DialogueBoxTimeAlertThresho ld

single The Dialogue Box alert threshold in

seconds for Dialogue Boxes. Default value: 0.

0

DialogueBoxTimeAlertTemplat e

string The Dialogue Box alert template in

seconds for Dialogue Boxes.

(22)

Simple window title and url field text replacements can be made for each of the output formats (CSV, NVP, XML, JSON) in the form [original text] --> [replacement text]

Non-printable characters can be represented in their equivalent unicode 2 digit hex numeric character code proceeded by the % character e.g. carriage return = %0D line feed = %0A etc For instance to replace the double quote character " with an escape sequence of \" , for NVP formatted output, the dcac config entry will be NVPTransform=" --> \"

Note: if a transform contains the % character followed by a number then hash but be represented in it unicode hex numeric form e.g. %20 (space)

Examples of data transforms in a config.ini:

; DataTransformsEnabled=-1 enables the data transforms below DataTransformsEnabled=-1

; The following replaces double quotes with two single quotes in csv files for window title and url text

CSVTransform#1=" --> ''

; The following replaces the upper case umlaut character with the text big umlaut, surrounded by spaces, in csv files for window title and url text

CSVTransform#2=Ö --> %20big umlaut%20

; The following replaces the lower case umlaut character with the text small umlaut, surrounded by spaces, in csv files for window title and url text

CSVTransform#3=%C3%B6 --> %20small umlaut%20

; The following replaces double quotes with two single quotes in nvp files for window title and url text

Advanced Install & Configuration Guide