Skip to main content
Sumo Logic

Windows Sensor Installation (Legacy)

See instructions on how to install the Windows Sensor to work with the legacy CSE server.

This topic has instructions for installing the Windows Sensor in legacy mode, so that the sensor sends the data it collect to the legacy CSE server. For instructions on installing the Windows Sensor to send the data it collects to Sumo Logic CIP, see Windows Sensor Installation.

For information about Windows Sensor functionality, see Windows Sensor Overview.

Requirements

Physical system requirements

In order to successfully install and operate the CSE Windows Sensor, the following machine requirements must be met:

  • Cores (CPU)
    • 2
  • Memory (RAM)
    • 4GB
  • Storage (Disk)
    • 50GB
  • Operating System and Packages
    • Windows 2012 or later (with all patches installed) or Windows 10 or later (with all patches installed)
    • .NET, v4.8 or later

Security requirements

The CSE Windows Sensor installs as a Windows Service.

The sensor installer prompts you to supply a Windows Service Account that the CSE service will impersonate, that is, the user context under which the service will run. In most cases, you should use a dedicated Windows service account for the CSE Windows Sensor service. 

The user account you specify can belong to any number of groups in the operating system, but certain ones are mandatory:

  • Event Log Readers. This enables the sensor to read the event logs on the Microsoft Windows Domain Controllers. The service account must be a member of the Domain’s Event Log Readers group. If you intend to run the Localhost monitor, which is disabled by default, the service account must be a member of the local machine’s Event Log Readers group. If the Domain Controller Monitor is disabled, then the Service Account does not need to be in the domain’s Event Log Readers group.
  • Performance Monitor Users. This enables the sensor to read CPU and memory usage telemetry. Without this information, the sensor will not run. The service account must be a member of the Iocal machine’s Performance Monitor Users group. If the sensor is installed directly on a domain controller, then the Performance Monitor Users group will be the domain’s Performance Monitor User’s group.
  • Logon as a Service. The service account must be granted Logon as a Service privileges on the Microsoft Windows machine that it is installed on.

In limited circumstances, such as when the Sensor is configured to monitor only local event logs, it may be appropriate to run the Sensor service as Windows' built-in Local System account.  The Local System account already has all permissions necessary to run the Sensor service.

Outbound internet communications requirements

If there is a firewall in place, you must enable the following rules on the firewall:

TCP/443 <customername>.portal.jask.ai
TCP/443 <customername>-ingest.portal.jask.ai
TCP/443 34.223.47.64/27
TCP/443 3.122.132.160/27
TCP/443 99.79.83.0/27

Before you install

Choose or create Domain Member Server

By default, the CSE Windows Service will monitor the event logs on every domain controller in your Microsoft Active Directory domain. Identify a Domain Member Server that belongs to the same Active Directory domain as the domain controller that you’d like to monitor. This is where you will install the Windows Sensor. If desired, create a new Domain Member Server. 

Download the Windows Sensor installer

Follow the instructions in this section to download the Windows Sensor installer from the CSE UI.

  1. In the CSE web UI, click the gear icon, then click Sensorsconfig-gear-sensor.png
  2. On the Sensors page, click Add.add-sensor-icon.png
  3. On the Add Sensor popup, click Windows Event Sensor.windows-sensor-button.png
  4. Click Windows Sensor Installer to download the sensor installer.download-sensor.png
  5. Collect the following  information to collect from the CSE portal now:
    • CSE Portal domain. Copy and save the domain portion of the URL in the address bar of your browser. The format is: https://[your-portal-name].portal.jask.ai 
    • Sensor Key. Copy and save the Sensor Key from the Add Sensor panel. This is also known as the Sensor API Key.

Install the Windows Sensor

  1. Copy the installer that you downloaded from the CSE portal to the Domain Member Server.  
  2. Start the installer.
  3. Windows prompts you to confirm that you want the installer to make changes to your system. Click Yes to continue.
    CSEWindowsSensorInstall_01.png
  4. The installer asks if you want to start the installation. Click Next to proceed.
    CSEWindowsSensorInstall_02.jpg
  5. The installer prompts for information about what types of records the sensor will be monitoring. You can select one of the following:
    • Domain Controllers. Select this option to monitor security event logs from all Domain Controllers (up to 25) on the domain of the computer on which the sensor is installed.

      If you want the sensor to periodically poll for Active Directory entities, leave the Monitor Active Directory Inventory checkbox checked. (Active Directory monitoring requires that the computer where the sensor runs is a member of the domain to be monitored.)
      CSEWindowsSensorInstall_03a.png
    • Windows Event Collector. The sensor will monitor forwarded event logs from the computer you specify in the Hostname. To monitor events on the local computer where the sensor is installed, set Hostname to "localhost".

      If you want the sensor to periodically poll for Active Directory entities, leave the Monitor Active Directory Inventory checkbox checked. (Active Directory monitoring requires that the computer where the sensor runs is a member of the domain to be monitored.)
      CSEWindowsSensorInstall_03b.png
    • Local. Select this option to monitor Security event logs from the local computer that the sensor is installed on.

      By default, the Monitor Active Directory Inventory checkbox is not checked. If you want the sensor to  checked to periodically poll for Active Directory entities, click the checkbox. (Active Directory monitoring requires that the computer where the sensor runs is a member of the domain to be monitored.)
      CSEWindowsSensorInstall_03c.png
  6. Click Next.
  7. The installer prompts you to specify credentials for the Windows service account that will be used to run the sensor service. You have two options:
    • Specify a Service Account. When the computer where the sensor runs is a member of a domain and/or will be monitoring a remote machine, using a service account is considered best practice for security reasons. If you choose this option, go to step 8 after clicking Next.
    • Use Built-In Local System Account. Using the built-in account is a more streamlined process, and may be appropriate when monitoring event logs on the local machine. If you choose this option, go to step 11 after clicking Next.
  8. In this step, you enter credentials for the service account:
    1. Domain. Enter the name of the Windows domain associated with the service account. This should be the NETBIOS name of the domain, such as MYDOMAIN, rather than the FQDN (mydomain.com). To use a local Windows account rather than a domain account, specify the local machine name here.
    2. Username. Enter the username for the service account the sensor service will run under. 
    3. Password. Enter the password for the service account.
    4. Skip validating. Leave the checkbox unchecked.
    5. Click Next to proceed.
      CSEWindowsSensorInstall_04a-new.png
  9. The installer starts to validate the account credentials you provided. Click OK to proceed.CSEWindowsSensorInstall_03c.jpg
  10. The installer confirms that the account validation succeeded. Click OK to proceed.CSEWindowsSensorInstall_03e.jpg
  11. The installer prompts you to enter a Sensor address which is the URL to which the sensor will send the data it collects. Enter the domain portion of the URL for the CSE portal, which looks like this:
    https://[your-portal-name].portal.jask.ai 
    CSEWindowsSensorInstall_05.png
  12. The installer reports that the installation is completing. Click Finish.CSEWindowsSensorInstall_06.jpg
  13. Perform the steps in the following section.

Add Sensor Key to settings.conf

In this step, you update the Windows Sensor configuration file, settings.conf, with the Sensor Key that you copied from the CSE portal above.

  1. Go to Windows Service Control Manager, at Start > Control Panel > Services.
    service-control-manager.png
  2. Select the Sumo Logic CSE Windows Sensor Service, and stop it.
  3. In Windows Explorer, navigate to the C:\ProgramData\Sumo Logic\CSE Windows Sensor folder.
    windows-explorer.png
  4. Open settings.conf with Windows Notepad, as Administrator.
  5. Add the following line to the file, supplying the Sensor Key that you copied from the CSE portal above.
    "SensorApiKey": "12345678-0000-0000-0000-123456789012",
  6. Start the service.

Installation and configuration is now complete. Proceed to Verify the service is running below.

Install the Sensor from the Command Line

This section has instructions for using the Windows Sensor command line installer. These instructions apply to CSE Windows Sensor Version 1.11 (and higher).

About the command line installer

You can use the command line to do a fresh install of the Windows Sensor, to upgrade an existing installation to a newer version, or to uninstall the sensor.

When you do a fresh install, you set a few sensor configuration options that control basic sensor operation. Further customization of sensor behavior can be accomplished by manually modifying the sensor’s settings.conf file after installation is complete. When you upgrade the sensor to a new version, the sensor configuration options that were set in the prior installation are preserved, as are the options configured in the sensor’s settings.conf file.  

Installation options

This section defines installation options. 

General installation options

The options in this section relate to both new and upgrade installations. These options can only be provided on the command line. None of these options are required.

/VERYSILENT
The installer won’t display any user interface elements, so you won’t see the installation wizard and progress window.

/SUPPRESSMSGBOXES
The installer won’t prompt you for any information during the install process. You must provide installation options in the .INF file or at the command line. If you don’t provide required information, the installer will use default values whenever appropriate. This flag works only in conjunction with the /VERYSILENT flag.

/CLOSEAPPLICATIONS
The installer will automatically close any applications that use files that the installer will update.  Typically, this flag is necessary for upgrades and uninstalls. Note that the installer must run as an administrator to be able to stop the existing sensor service. If the installer needs to close a file and is unable to, it will request a Windows restart.

/LOG=”filename”
The installer will create a log file in the location specified by filename that details the actions performed during the installation process. This flag can be useful in troubleshooting why an installation didn’t run as expected. Be sure to choose a file location to which the installer will have write access. If you use the LOG flag without specifying a file name, the log file will be written to the TEMP directory of the user running the installation.

/DONOTUPGRADE
By default, if the installer detects an earlier version of the CSE Windows Sensor already installed, it will upgrade the installation in place, preserving the existing settings—the ones configured previously by the installer and also the options configured in settings.conf. If you don’t want an existing sensor installation to be upgraded, include this flag on the command line. You might use this option in the event that you are expecting to do a new install, and want the installer to fail if it detects an existing version of the sensor on the target computer.

Windows service account options

The options defined in this section provide credentials for the Windows Service account that will run the sensor service. When the computer where the sensor runs is a member of a domain and/or will be monitoring a remote machine, using a service account is considered a best practice for security reasons. When you specify a service account, Domain, Username, and Password must ALL be supplied. If you don’t provide credentials to the installer, the sensor will default to running under the Built-In Local System Account.

Note, these options are applied to new installations only. When you run the installer, if it detects an existing version of the sensor, it will ignore any service account options you provide.

You can provide these options at the command line or in an .INF file. 

/DOMAIN="MYDOMAIN"
The name of the Windows domain associated with the service account. This should be the NETBIOS name of the domain, such as MYDOMAIN, rather than the FQDN (mydomain.com). To use a local Windows account rather than a domain account, specify the local machine name.

/USERNAME="user"
The username for the service account the sensor service will run under.

/PASSWORD="password"
The password for the service account.

/SKIPSERVICEACCOUNTVALIDATION
If you include this option, the installer will skip checks that verify that the credentials specified are both valid and have sufficient permissions for the sensor service to operate properly. Typically, you would use this option only when troubleshooting, as it allows the installer to complete successfully, but the sensor will likely not be able to start without additional, manual steps.

Sensor configuration options

This section describes options that control the behavior of the Windows Sensor. These options are applied to new installations only. When you run the installer, if it detects an existing version of the sensor, any sensor configuration options provided are ignored.

You can provide these options at the command line or in an .INF file. 

/ADDRESS="https://[your-portal-name].portal.jask.ai"
The URL to which the sensor sends the data it collects, an HTTP Source on the Sumo Logic platform. This setting is required for all new installations.

/SENSORMODE=”local”
The option determines which event logs the sensor will monitor.  Options are:
DC - Choose this option to monitor security event logs from all Domain Controllers (up to 25) on the domain of the computer on which the sensor is installed.
WEC - The sensor will monitor forwarded event logs from the computer you specify in the WECHostname setting
Local - Select this option to monitor Security event logs from the local computer that the sensor is installed on.
If the /SENSORMODE is not specified, the sensor defaults to Local event log monitoring. The value is not case-sensitive.

/WECHOSTNAME=”localhost”
This option, used only when /SENSORMODE=”WEC”, specifies which computer to monitor for event logs.  If you configure WEC mode and don’t configure WECHostname, the sensor defaults to monitoring localhost, the local computer where the sensor is installed.

/MONITORACTIVEDIRECTORY
If you include this option, the sensor will periodically poll for Active Directory entities. (Active Directory monitoring requires that the computer where the sensor runs is a member of the domain to be monitored.)  If you don’t include this option, Active Directory monitoring will be turned on for DC mode or, when a remote WECHostname is specified, WEC mode. For local monitoring, Active Directory monitoring is turned off by default.

Specifying sensor options in an .INF file

/INFFILE="C:\Users\user\Documents\CSEWindowsSensorSettings.inf"

When you include this option, the installer will use the options defined in the specified .INF file rather than any that may have been included on the command line. The .INF file must be formatted using standard INF file syntax. For information about this syntax, see About INF File Architecture in Microsoft help.

Sensor options must be included in a section named Params. Those options include:

  • sensorMode
  • wecHostName
  • address
  • domain
  • username
  • password
  • monitorActiveDirectory—This is a boolean option. Use 0 for false, or 1 for true.
  • skipServiceAccountValidation—This is a boolean option. Use 0 for false, or 1 for true.

For more information about the options, see Sensor configuration options and Windows service account options.

Example .INF file
[Params]
Address=https://[your-portal-name].portal.jask.ai 
Domain=MYDOMAIN
Username=user
Password=password
SensorMode=DC
MonitorActiveDirectory=0

After Installation Completes

Once the command line installation has completed successfully, you must add the Sensor Key to the settings.conf file.  Then, proceed to Verify the service is running below.

Command line install examples

New Installation -  Local Sensor Mode using Local System Account (Defaults)

SumoLogicCSEWindowsSensor_v1.11.7809.31990.exe /VERYSILENT /SUPPRESSMSGBOXES /ADDRESS="https://[your-portal-name].portal.jask.ai"

New Installation -  Domain Controller Installation with Service Account

SumoLogicCSEWindowsSensor_v1.11.7809.31990.exe /VERYSILENT /SUPPRESSMSGBOXES /ADDRESS="https://[your-portal-name].portal.jask.ai" /SENSORMODE="DC" /domain="MYDOMAIN" /username="user" /password="password" 

New Installation -  Domain Controller Installation with Service Account, from .INF file

SumoLogicCSEWindowsSensor_v1.11.7809.31990.exe /VERYSILENT /SUPPRESSMSGBOXES /INFFILE="C:\Users\user\Documents\DCwithServiceAcct.inf" /LOG="C:\SensorInstall.log"

DCwithServiceAcct.inf contents:

[Params]
Address=https://[your-portal-name].portal.jask.ai
Domain=MYDOMAIN
Username=user
Password=password
SensorMode=DC

Upgrade installation - Settings from currently installed sensor are retained

SumoLogicCSEWindowsSensor_v1.11.7809.31990.exe /VERYSILENT /SUPPRESSMSGBOXES /CLOSEAPPLICATIONS

Uninstall the sensor

“C:\Program Files\Sumo Logic\CSE Windows Sensor\unins000.exe” /LOG="C:\SensorUninstall.log" /VERYSILENT /SUPPRESSMSGBOXES /CLOSEAPPLICATIONS

Verify the service is running

To verify that the Windows service that runs the sensor is running, check Windows Service Control Manager to see that the SLCSE process is running, set to automatic, and running as the user you expect. (Start -> Control Panel -> Services)