Quick Start Guide This document details the procedure for installing Layer8 software agents and reporting dashboards. Deployment to data analysis takes approximately 15 minutes. If you wish to deploy via Group Policy, SCCM or other standard MSI deployment tool, please consult the Advanced Guide. Version: 3.5
Contents 1. Introduction to Layer8 2. Layer8 Components 3. Hardware & Software Prerequisites 4. User Account Configuration Steps 5. Installation & Removal 6. License Keys 7. Troubleshooting & Technical Support About This Quick Start Guide This guide provides information to manually install Layer8 agents via a supplied batch file, which can be useful for testing a small group of systems. For larger, silent, Group Policy installations consult the Layer8 Advanced Install Guide. This guide also provides details to use Splunk reporting software which enables fast, immediate evaluation of Layer8 via a wide range of supplied dashboards, reports and data analysis tools. Additionally, Layer8 data can be fed into virtually any reporting, BI, analytics or SIEM software. Please contact us for details. NOTE: Splunk Enterprise For fast viewing of data, Layer8 utilizes Splunk Enterprise, a data analytics tool which is free for analyzing 500MB of data per day, sufficient for between 1000-2500 Layer8 users. If you are already using Splunk Enterprise or Splunk Cloud edition and you wish to use Splunk s own Universal Forwarder, please consult the Quick Start Guide Using the Splunk Universal Forwarder. NOTE: Citrix XenApp / XenDesktop. VMware Horizon. MS RDS, Hyper-V. There are some additional configuration steps required when deploying Layer8 to virtualized desktop or virtualized applications. Please review the Layer8 Virtualization Installation Guide for additional information. Layer8 is certified Citrix Ready. http://logfiller.com Page 2
1. Introduction to Layer8 Layer8 from Logfiller measures the actual usage and User Experience of all Windows based systems, logon delays, applications and web services. From Logon to Logoff and everything in between, Layer8 s patent pending technology provides unique insights that also complement machine data sources. 2. Layer8 Components Layer8 generates data via an installed agent, a data forwarder service and web browser extensions installed on each Windows endpoint / server. The following are included as standard MSI packages in the Layer8 installation download: a) Layer8 User Experience Meter Agent ( uxmtr ) b) Layer8 Forwarder Service ( dcac ) c) Layer8 Web Browser extensions for IE, Chrome and Firefox Both agents ( uxmtr and dcac ) are required for all installation endpoints. The web browser extensions are optional. 3. Hardware & Software Prerequisites Layer8 can be installed on any system which runs Windows XP and higher, 32-bit or 64-bit, physical or virtual, servers, workstations or laptops. Standalone and domain users are supported. Microsoft Windows XP/SP3, 2003/SP2, Vista, 2008, 2008R2, 2012, 2012 R2, 7, 8, 8.1+, 10 Microsoft Terminal Services / Microsoft Remote Desktop Services servers Virtualization platforms - Citrix XenApp, XenDesktop, VMware Horizon, Hyper-V RAM Usage 2MB to 6MB Processor usage negligible. Disk Space - average of 0.2MB to 1MB per day of temporary per user One or more Web Browsers e.g. Internet Explorer, Chrome or Firefox For reporting: Splunk Enterprise, Splunk Cloud, or any other SIEM / Log Manager solution Other than Windows, there are NO other software prerequisites i.e. there is no requirement for Java,.NET, Javascript etc. installed on any system. http://logfiller.com Page 3
4. User Account Configuration Steps In order to calculate Logon Delays Layer8 needs to be able to read the local Windows Security Event Log. There are two ways to approach this, dependent on whether the endpoints you are deploying to are running Windows XP or Windows Vista and above. NOTE: If deploying across a network with Active Directory, changes can be made to Group Policy as needed. Consult the Layer8 Advanced Install Guide for instructions using this method. Windows XP Procedure: As a Local Administrator, open a command prompt or click "Start Run" and enter secpol.msc In the "Local Security Settings" window, expand Local Policies Audit Policy Audit Logon Events, enable Success In the "Local Security Settings" window, expand User Rights Assignment Manage auditing and security log, double-click and add Domain Users or Everyone as required Close the "Local Security Settings" window Windows Vista and above Procedure: As a Local Administrator, open a command prompt or click "Start Run" and enter lusrmgr.msc In the "Local Users and Groups" window, double-click "Groups" "Event Log Readers" "Add". Enter the local username to add (eg. Domain Users/Everyone). Click "Check Name" then "OK" "OK" and close the "Local Users and Groups" window. http://logfiller.com Page 4
5. Installation & Removal The key steps for manually installing Layer8 agents are as follows: Download, install and configure Splunk Enterprise Install the Layer8 App for Splunk in Splunk Enterprise Install the Layer8 agents Download, Install & Configure Splunk Enterprise Download Splunk Enterprise from http://splunk.com and install. Install the Layer8 App for Splunk in Splunk Enterprise Click Apps Manage Apps Install App from file and select the Layer8 App for Splunk file from the Layer8 installation package http://logfiller.com Page 5
Install the Layer8 Agents Extract the Layer8 software package to any local, network drive letter or UNC share MANDATORY STEP 1: You must edit the supplied config.ini file from the Layer8 installation folder to include the IP address of your Splunk server in both the DataOutput#1 and AlertOutput#1 sections. MANDATORY STEP 2: Using notepad or similar edit the supplied Layer8_InstallAll.EDITTHIS file and specify the UNC path to the root of extracted Layer8 software folder. Save the file with a.bat extension Temporarily disable any anti-virus or other software / application blocking feature which may interfere with installation. As a Local Administrator, open a command prompt and change directory to the Layer8 installation folder. Run the Layer8_InstallAll batch file. Reboot the computer and start using it as normal. Start Internet Explorer, Firefox and Chrome and enable / allow the Layer8 extension / add-on when prompted (or enforce via group policy). Login to Splunk and analyze your collected data using the supplied dashboards & reports. http://logfiller.com Page 6
NOTE: You can check everything is installed and working by viewing the Layer8 Status Page available by clicking Start Program Files Logfiller Layer8 Status Page. Removing the Layer8 Agents The Layer8 agents are manually uninstalled using Control Panel Add/Remove Programs. http://logfiller.com Page 7
6. License Keys Trial and Permanent License Keys When you install Layer8 a trial license key is provided which allows data generation for 30 days. When you purchase Layer8 you will be provided with a License key in the form of a LICENSE.INI file. To publish the License key, simply copy the supplied file into the central deployment folder. For example, copy LICENSE.INI into; \\myserver\layer8\ On next restart, or policy refresh your client computers will pick up this new license key. http://logfiller.com Page 8
7. Troubleshooting & Technical Support Layer8 on Client Systems For troubleshooting missing / non-reported Layer8 data: Confirm that clients are sending data to the correct Splunk server IP address as specified in the Layer8 config.ini file and inspect the Logfiller Status Page on each client to see if the Successful Data Upload messages appear. On the client computer, click Start Program Files Logfiller Layer8 Status Page or in any web browser, enter the URL http://127.0.0.1:50291/status?99. This status page will provide details on the Layer8 agent configurations, data upload status, errors, licensing and more. If the Status Page is not available, open the Windows Event Viewer. Layer8 reports successful program startup, configuration, and any license or policy errors to the Application Log and/or the Logfiller Log. http://logfiller.com Page 9
For missing Logon Delay Times, verify the policies and group permissions from Section 4 are correctly configured. Check that anti-virus or other endpoint protection software (including Windows Defender or SmartScreen) has not disabled or blocked installation of the Layer8 agents. A correctly-configured system will show the following Logon Delay calculation in the local Windows Logfiller Application Event Log note the three uxmtr source events, the Logon Delay will be the third event generated immediately after the user logs onto their machine. Visit http://support.logfiller.com for further KB s and other information. Splunk Enterprise - Troubleshooting Please consult the Splunk Answers KB's at http://splunk.com for all issues relating to Splunk Enterprise Testing has shown the following troubleshooting steps to be of use: Check the firewall ports are open and allow clients to send data via the chosen protocol http://logfiller.com Page 10
Confirm the Layer8 App for Splunk has been configured correctly to match the configuration settings of the Layer8 agents Click Settings Indexes and make sure the Logfiller index is listed and enabled. If it is not listed or enabled, contact your Splunk administer and confirm the Layer8 App is installed properly. Consider checking the file/directory permissions on the Splunk Enterprise server if the index is listed and enabled but no data appears to be indexed. http://logfiller.com Page 11