Skip to main content
Sumo Logic

Windows Sensor Installation

Learn how to install the CSE Windows Sensor.

This topic has instructions for installing the WIndows Sensor. The sensor can send the data it collects to one of two destinations: the Sumo Logic platform or the legacy CSE server. There are two differences in the installation and setup process for the two different destinations. The key differences are:

  • When you run the sensor installer, you are prompted to provide the URL of the destination. If you're configuring the sensor to work with the Sumo Logic platform, you will supply the URL of a Sumo Logic HTTP Source. If you’re configuring the sensor for the CSE server, you’ll supply the domain portion of the URL for your CSE portal.
  • If you’re configuring the sensor to work with the legacy CSE server, after you run the installer, you’ll add the Sensor’s API Key to the sensor’s settings.conf file.

For information about Windows Sensor functionality, see Windows Sensor Overview.

Requirements

Physical system requirements

In order to successfully install and operate the CSE Windows Sensor, the following machine requirements must be met:

Category Requirements
Cores (CPU) 2
Memory (RAM) 4GB
Storage (Disk) 50GB
Operating System and Packages Windows 2012 or later (with all patches installed) or 
Windows 10 or later (with all patches installed)

.NET, v4.8 or later

Security requirements

The CSE Windows Sensor installs as a Windows Service.

The sensor installer prompts you to supply a Windows Service Account that the CSE service will impersonate, that is, the user context under which the service will run. You should use a dedicated Windows service account for the CSE Windows Sensor service.

The user account you specify can belong to any number of groups in the operating system, but certain ones are mandatory:

  • Event Log Readers. This enables the sensor to read the event logs on the Microsoft Windows Domain Controllers. The service account must be a member of the Domain’s Event Log Readers group. If you intend to run the Localhost monitor, which is disabled by default, the service account must be a member of the local machine’s Event Log Readers group. If the Domain Controller Monitor is disabled, then the Service Account does not need to be in the domain’s Event Log Readers group.
  • Performance Monitor Users. This enables the sensor to read CPU and memory usage telemetry.  Without this information, the sensor will not run. The service account must be a member of the Iocal machine’s Performance Monitor Users group.  If the sensor is installed directly on a domain controller, then the Performance Monitor Users group will be the domain’s Performance Monitor User’s group.
  • Logon as a Service. The service account must be granted Logon as a Service privileges on the Microsoft Windows machine that it is installed on.

Outbound internet communications requirements

If there is a firewall in place, you must enable the following rules on the firewall:

TCP/443 <customername>.portal.jask.ai
TCP/443 <customername>-ingest.portal.jask.ai
TCP/443 <customer-prefix>.sumologic.com, for example:
https://endpoint5.collection.us2.sumologic.com)
TCP/443 34.223.47.64/27
TCP/443 3.122.132.160/27
TCP/443 99.79.83.0/27

Before you install

Choose or create Domain Member Server

By default, the CSE Windows Service will monitor the event logs on every domain controller in your Microsoft Active Directory domain. Identify a Domain Member Server that belongs to the same Active Directory domain as the domain controller that you’d like to monitor. This is where you will install the Windows Sensor. If desired, create a new Domain Member Server.  

Download the Windows Sensor installer

  1. In the CSE web UI, click the gear icon, then click Sensorsconfig-gear-sensor.png
  2. On the Sensors page, click Add.add-sensor-icon.png
  3. On the Add Sensor popup, click Windows Event Sensor.windows-sensor-button.png
  4. Click Windows Sensor Installer to download the sensor installer.download-sensor.png
  5. If you are going to install the Windows Sensor to send data to the legacy CSE server (as opposed to the Sumo Logic platform) there are two pieces of information to collect from the CSE portal now:
    • CSE Portal domain. Copy and save the domain portion of the URL in the address bar of your browser. The format is: https://[your-portal-name].portal.jask.ai 
    • Sensor Key. Copy and save the Sensor Key from the Add Sensor panel. This is also known as the Sensor API Key.

Set up Sumo Logic Collector and Source (Sumo Logic platform only)

Perform these steps if you are going to use the Windows Sensor to send data to the Sumo Logic platform.  

  1. Set up a Sumo Logic Hosted Collector. For instructions, see Configure a Hosted Collector.
  2. Set up a Sumo Logic HTTP Source on the Hosted Collector you configured in the previous step. For instructions, see HTTP Logs and Metrics Source. When you complete the source configuration, you are presented with the URL for the source:
    http-source-address.png
  3. Copy and save the HTTP Source Address shown. When you install the Windows Sensor, you’ll be prompted to enter the URL.

Install the Windows Sensor

  1. Copy the installer that you downloaded from the CSE portal to the Domain Member Server.  
  2. Start the installer.
  3. Windows may prompt you to confirm that you want to run the installer. Click Run anyway to proceed. 
    CSEWindowsSensorInstall_00.jpg
  4. Windows prompts you to confirm that you want the installer to make changes to your system. Click Yes to continue.
    CSEWindowsSensorInstall_01.jpg
  5. The installer asks if you want to start the installation. Click Next to proceed.
    CSEWindowsSensorInstall_02.jpg
  6. The installer prompts you to enter:
    1. Domain. Enter the name of the Windows domain from which the sensor will collect logs.
    2. Username. Enter the username for the service account the sensor service will run under. 
    3. Password. Enter the password for the service account.
    4. Skip validating. Leave the checkbox unchecked.
    5. Click Next to proceed. 
      CSEWindowsSensorInstall_03a.jpg
  7. The installer starts to validate the account credentials you provided. Click OK to proceed.CSEWindowsSensorInstall_03c.jpg
  8. The installer confirms that the account validation succeeded. Click OK to proceed.CSEWindowsSensorInstall_03e.jpg
  9. The installer prompts you to enter a Sensor address which is the URL to which the sensor will send the data it collects. Depending on whether you’ll use the sensor with the Sumo Logic platform or the legacy CSE server:
    • Enter the Sumo Logic HTTP Source URL that you copied and saved when you created the HTTP source. An HTTP Source URL starts like this:
      https://collectors.sumologic.com/receiver/v1/http/…
    • Enter the domain portion of the URL for the CSE portal, which looks like this:
      https://[your-portal-name].portal.jask.ai 
      CSEWindowsSensorInstall_04.jpg
  10. The installer reports that the installation is completing. Click Finish.CSEWindowsSensorInstall_06.jpg
  11. If you’re installing the sensor to send the data it collects to the Sumo Logic platform, you’re done. Follow the instructions in Verify the service is running, below.

    Otherwise, If you’re installing the sensor to send the data it collects to the legacy CSE server, perform the steps in the following section.

Add Sensor Key to settings.conf (legacy CSE server only)

In this step, you update the Windows Sensor configuration file, settings.conf, with the Sensor Key that you copied from the CSE portal above.

  1. Go to Windows Service Control Manager, at Start > Control Panel > Services.
    service-control-manager.png
  2. Select the Sumo Logic CSE Windows Sensor Service, and stop it.
  3. In Windows Explorer, navigate to the C:\ProgramData\Sumo Logic\CSE Windows Service folder.
    windows-explorer.png
  4. Open settings.conf with Windows Notepad, as Administrator.
  5. Add the following line to the file, supplying the Sensor Key that you copied from the CSE portal above.
    "SensorApiKey": "12345678-0000-0000-0000-123456789012",
  6. Start the service.

Installation and configuration is now complete. Proceed to Verify the service is running below.

Verify the service is running

To verify that the Windows service that runs the sensor is running, check Windows Service Control Manager to see that the SLCSE process is running, set to automatic, and running as the user you expect. (Start -> Control Panel -> Services)