Agent-D Monitoring

Agent-D is a server monitoring daemon for ThirdEye. By installing Agent-D on a Windows or Linux-based OS, you can monitor the server’s CPU, memory, logs, etc.

Compared to traditional SNMP agents, Agent-D allows you to bulk distribute (install) on monitored devices, reducing installation time and simplifying management when there are many targets to be monitored.

Install on Linux

Download the installer from ThirdEye and install it on any Linux. Supported OS are RedHat Linux 7/8, CentOS 7/8, and Ubuntu.

1. Click [Settings] on the Global Menu.

3. Copy the downloaded file to the installation destination Linux server.

4. Unzip the downloaded file using the unzip command.

5. Run install.sh.

6. Enter ThirdEye’s IP address and press the [Enter] key.

Install on Windows

Download the installer from ThirdEye and install it on any Windows server. Windows OS Server versions 2016, 2019, and 2022 are supported.

1. Click [Settings] on the Global Menu.

2. Click [Agent-D] in the left sidebar, then click [Download Windows Standalone Installer].

3. Copy the downloaded file to the Windows server where you will install it.

4. Unzip the downloaded file and doubleclick the file agent-d-standalone.msi to run it.

5. Click [Next].

6. Enter ThirdEye’s IP address or hostname and click [Proceed].

Installation will begin.

7. Click [Finish].

Windows service monitoring

Use Agent-D to obtain information about Windows services on the installed Windows server. By setting thresholds for service status, you can issue an alert when the threshold is exceeded.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

Windows Service Status

The Agent-D Windows Services plug-in can be set up as as a monitor for a Windows server device:

1. Doubleclick the device for which you want to configure a monitor to open the device details.

2. Click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library…].

5. Select [Windows Services] and click [OK].

6. Add the service name to be monitored by entering it in the [service_names] field. The Service name is not uppercase and lowercase sensitive.

7. Check the items you want to obtain in [Output Fields] and click [Save].

Now, Agent-D will send the service information and you can check it in the device details.

Windows Event Log Monitoring

Use Agent-D to obtain Windows event log information for the installed Windows server. An alert can be issued when an event log containing a specific string is detected.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• Windows Event Log Monitor

1. Doubleclick the device for which you want to configure a monitor to open the device details.

2. Click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library …].

5. Click Windows Eventlog, then click [OK].

6. Check the event logs you want to monitor.

7. Click [Use advanced settings] to specify in XML format.

8. Check the items to be retrieved in [Output Fields].

9. Click [Save].

Now, the event log information will be sent from Agent-D and can be checked in the device details.

Distribute and install Agent-D using Group Policy on domain controllers

You can install Agent-D on multiple servers in bulk using new or existing Active Directory group policies. You can download the MSI file by clicking [Settings] > [Agent-D] > [Download Windows Domain Installer] in the Global Menu.

Please check the Microsoft Docs guide “Install software remotely using Group Policy” for details:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/use-group-policy-to-install-software

Install on Linux

Distribute and Install Agent-D from ThirdEye

For Linux, if you are in an environment where you can SSH into Linux from ThirdEye, you can install Agent-D from the ThirdEye menu. By selecting devices at once, similar to configuration backup, you can distribute to many devices at once.

1. Set the authentication information (username/password) for SSH connection.

2. Add a Linux device to monitor.

3. With the Linux device to be monitored selected, click [Agent-D Linux Installer] on the [Inventory] menu.

i Note:

If [Agent-D Linux Installer] is grayed out and cannot be selected, there may be no Linux adapter assigned to the selected device. Make sure that a Linux adapter is assigned to the target device. You can check from [Edit Device] properties in the [Device] submenu:

4. Click [Install/Update] > [Execute].

5. The installation will execute and the results will be displayed in the bottom half of the screen.

CPU Monitoring

Use Agent-D to obtain CPU information for the installed server. By setting thresholds for CPU usage, etc., you can issue an alert when the threshold is exceeded.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• Linux CPU Stats
• Windows CPU Stats

The plugin in the [Agent-D] > [Linux CPU] window can be set up as a monitor for a CentOS device. For instructions, refer to the Monitor SNMP Traps (all) section.

1. Doubleclick the device for which you want to configure a monitor to open the device details.

2. Click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library…].

5. Select [Linux CPU] and click [OK].

6. Check the items to be acquired in Plugin Config.

7. Check the items to be retrieved in Output Fields and click [Save].

i Note:

In Agent-D’s Output Fields, common monitoring items are checked by default. To view other monitoring items, click “View details”.

Now, Agent-D will send the CPU information and you can check it in the device details.

Get the Overall CPU Usage

Agent-D’s CPU monitor obtains information on a per-core basis. Click [Calculated Metrics] to get the overall CPU usage.

1. Doubleclick the CPU monitor to open it.

2. Click [usage_active] from [Output Fields] menu.

3. Click [Derived Metrics] > [Metrics over indexes] > [Aggregation of Multiple Indexes].

4. Change the metric name (The usage_active aggregate in the example above) to something meaningful and choose the aggregation type.

5. Click [Save].

With the above steps, you can display the aggregated value of usage_acticve for each index (each core). By setting a threshold for this, it is possible to monitor the overall CPU usage rate.

Memory Monitoring

Use Agent-D to obtain memory information for installed servers. By setting thresholds for things like memory usage, you can issue an alert when the threshold is exceeded.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• Linux Memory Stats
• Windows Memory Stats

The [Agent-D] > [Windows Memory] plug-in can be set up as as a monitor for a Windows server device:

1. Doubleclick the device for which you want to configure a monitor to open the device details.

2. Click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library…] and select [Windows Memory] and click [OK]

5. Check the items for which you want to obtain data in [Output Fields], and click [Save].

i Note:

In Agent-D’s Output Fields, common monitoring items are checked by default. To view other monitoring items, click [View details].

Now, Agent-D will send the memory information and you can check it in the device details.

HDD Monitoring

Use Agent-D to obtain the HDD information of the installed server. By setting thresholds for HDD free space, usage rate, etc., you can issue an alert when the thresholds are exceeded.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• Linux Disk Stats
• Windows Disk Stats

The [Agent-D] > [Linux Disk] plug-in can be set up as a monitor for a CentOS device:

1. Doubleclick the device for which you want to configure a monitor to open the device details window in the bottom half nof the screen.

2. Click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library…].

5. Select [Linux/Windows Disk] and click [OK].

6. In the ignore_fs field, specify file systems to exclude from data collection.

Several file systems are preset in the exclusion list. Edit as necessary using the (Add), (Delete), or (Edit) buttons.

7. Check the items you want to obtain in [Output Fields] and click [Save].

i Note:

In Agent-D’s Output Fields, common monitoring items are checked by default. To view other monitoring items, click “View details”.

Now, Agent-D will send the HDD information and you can check it in the device details.

Process Monitoring

Use Agent-D to obtain information about installed server processes. By setting thresholds for process status, memory usage, etc., you can issue alerts when thresholds are exceeded.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• Linux Process Stats
• Windows Process Stats

The [Agent-D] > [Windows Process] plug-in can be set up as a monitor for a Windows server device:

1. Doubleclick the device for which you want to configure a monitor to open the device details.

2. Click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library…].

5. Select Window Process and click [OK].

6. Add the process name to be monitored by entering it in the [Processes] field.

7. Check the items you want to obtain in [Output Fields] and click [Save].

i Note:

In Agent-D’s Output Fields, common monitoring items are checked by default. To view other monitoring items, click “View details”.

Now Agent-D will send the process information and you can check it in the device details.

Monitor the Number of Processes

If you want to monitor the number of running processes, you need to add a metric to count the number of processes.

1. Open the process monitor by doubleclicking it.

2. Click [Calculated Metrics] > [Metrics over indexes] > [Total Condition Passed].

3. Change the count metric name to something meaningful, and set the calculation formula.

(In the figure below, the metric name has been changed from the initial value count-metric to notepad-count)

• For Windows, set the process name to “Process”.

Setting calculation formula example: process contains {Process name}

• For Linux, set the process name to “process_name”.

Setting calculation formula example: process_name contains {Process name}

4. Click [Trigger] > [Time Window].

5. Once the Count has been set, set conditions using metrics.

6. Set other items (“alert policy”/“severity”/“Time window”/“count/message”).

7. Click [Save].

Text Log Monitoring

Use Agent-D to obtain log information for the installed server. You can issue an alert when a log containing a specific string is detected.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• Linux Syslog Monitor
• Windows Log File Monitor

Here, we will explain how to set up the [Agent-D] > [Log Fie Monitor] plug-in as a monitor for a Linux device.

1. Doubleclick the device for which you want to configure a monitor to open the device details.

2. click the button, then click [Agent-D].

3. Enter any monitor name, and set the interval and data retention period.

The [Period] field, specifies the interval.

The [History] slider specifies a data retention period of 3, 6, or 12 months.

4. Click [Plugin Library …].

5. Select [Log Fie Monitor] and click [OK].

6. Add the absolute path of the log file to be monitored in the [files] field.

Security settings must be configured in advance so that the Agent-D program can read the target log file. It runs as the “SYSTEM” user on Windows and as the “telegraf” user on Linux.

7. Enter grok_patterns and grok_custom_patterns.

Syslog Monitoring

Use Agent-D to capture syslog information that is forwarded to ThirdEye. An alert can be issued when an event log containing a specific string is detected.

The following templates are registered in advance as monitors for HDD monitoring on the [Monitors] > [Templates] tab.

• ThirdEye Syslog Monitor

Agent-D is pre-installed on ThirdEye, but is disabled by default. If you want to enable/disable Agent-D, you must restart ThirdEye.

This section will explain how to enable ThirdEye’sAgent-D and set the ThirdEye Syslog Monitor as a monitor on the [Templates] tab.

1. click [Settings].

2. Select [Network Servers], check [Enable Agent-D for monitoring this server], and click [OK].

3. Click [OK] on the reboot confirmation screen.

ThirdEye must be restarted for the settings to take effect. Click [OK] and ThirdEye will automatically restart.

4. Check for the message “Restarting services …” and wait a few minutes.

A login screen will be displayed.

5. After logging in, click the [Inventory] main tab.

6. Register ThirdEye’s own IP address as a monitored device from [Inventory] > [Add Device].

7. Doubleclick to open device details.

8. click the button, and then click [Add from Template].

9. Select ThirdEye Syslog Monitor and click [OK].

10. Check the items you want to obtain in [Output Fields] and click [Save].

There is no need to change the [files] or [grok_patterns] settings that are already set in the template.

With the above steps, you can obtain the Syslog information sent to ThirdEye.

Syslog messages are displayed in the “Conditional” field.

Trigger Message Alert

The contents of the [Windows Event Log General] tab are displayed in the message field of the Agent-D Windows Eventlog plugin. By setting a filter condition that this “message” field contains a specific string, you can trigger an alert if the Windows event log contains any string.

1. Doubleclick the event log monitor to open it.

2. Click [Trigger] > [Time window].

3. Set conditions in the “Conditional” field.

4. Set other items (“alert policy”/“severity”/“period”/“count/message”).

5. Click [Save].

Trigger Description Alert

The content of the Syslog message is displayed in the “description” field of the Agent-D “Log File Monitor” plugin. By setting a filter condition where the “description” contains a specific string, you can trigger an alert if the Syslog message contains the specific string.

1. Doubleclick the [ThirdEye Syslog Monitor] monitor to open it.

2. Click [Trigger] > [Time window].

3. Set the “Conditionnal” using description.

4. Uncheck “Automatically coalesce occurrences into a single violation”.

i Note:

In ThirdEye, violations that share the same trigger and index are aggregated into one monitored log file with the name Index. Unchecking “Automatically coalesce occurrences into a single violation” allows violations to occur for each log that matches the conditions.

However, violations and emails will occur more frequently than when grouped. And a message with the same trigger and index will still be aggregated if the first violation has not been cleared. In such cases, only the most recently detected message will be displayed.

5. Set other items (“alert policy”/“severity”/“period”/“count/message”).

6. Click [Save].

Log Level Alert

An alert can be triggered when an event with a specific log level such as “Critical” or “Error” occurs in the Windows event log. Here, we will use an example of setting up an alert to be issued when an event with a log level of “error” or higher occurs.

1. Doubleclick the event log monitor to open it.

2. Click [Trigger] > [Time window].

3. Set the condition using Agent-D’s “level”.

4. Set other items (“alert policy”/“severity”/“period”/“count/message”).

5. Click [Save].

Grok Patterns

A grok_pattern is composed of:

%{PATTERN_NAME:FIELD_NAME:MODIFIER(optinon)}

and the content that matches the PATTERN NAME defined by the regular expression put into FIELD_NAME.

Use grok_pattern to enter a formula to split a single line of log and include the characters that match the specified field.

Example:

Log message Aug 20 11:15:40 192.168.0.1 ERROR systemd: Started Hostname Service.

Equation:

%{SYSLOGTIMESTAMP:timestamp}\s%{IPORHOST:iporhost}\s %{ LOGLEVEL:level}\s%{GREEDYDATA:message}

Save the value Aug 20 11:15:40 in the field called “times” using the pattern SYSLOGTIMESTAMP.

grok_pattern: %{SYSLOGTIMESTAMP:timestamp}

Save the value 192.168.0.1 in the field called “iporhost” using the pattern IPORHOST.

grok_pattern: %{IPORHOST:iporhost}

Save the value in the field called “level” using the pattern ERROR called “LOGLEVEL”.

grok_pattern: %{LOGLEVEL:level}

Save the value of systemd: Started Hostname Service. in the field called “message” using the pattern GREEDYDATA.

grok_pattern: %{GREEDYDATA:message}

Grok Custom Patterns

You can define a new PATTERN_NAME to be used with grok_pattern.

Create it using the following syntax: PATTERN_NAME(regular expression)

Check the items you want to obtain in [Output Fields] and click [Save].

Now, Agent-D will send log information and you can check it in the device details.