Configure the Windows Log Agent

Applies To: ThreatSync+ NDR

The Windows Log Agent is a collection agent that reads Windows DHCP server logs and then forwards them to the ThreatSync+ NDR Collection Agent. The ThreatSync+ NDR Collection Agent then forwards the DHCP logs to WatchGuard Cloud.

To keep track of devices when they change their IP address, we recommend that you use the Windows Log Agent to collect Active Directory DHCP logs. Add and configure the Windows Log Agent on all DHCP servers.

Windows Log Agent System Requirements

You can install the Windows Log Agent on these operating systems:

  • Windows Server 2019
  • Windows Server 2022

Some of these servers could also be domain controllers.

The Windows installer is compatible with computers with an x86 or ARM processor.

For more information about supported operating systems and virtualization environments, go to the Troubleshoot Windows Log Agent Issues section in this document, or the Operating System Compatibility for ThreatSync+ NDR Components in the ThreatSync+ NDR Release Notes.

About the Windows Log Agent for ThreatSync+ NDR

To collect Active Directory DHCP logs, you must add and configure both types of collection agents in your network — first the ThreatSync+ NDR Collection Agent (for either Windows or Linux), and then the Windows Log Agent.

Screen shot of Configure > ThreatSync, Windows Log Agents page

You configure Windows Log Agents on the Collectors page.

The Windows Log Agents tab shows these columns:

  • Name — Name of the collection agent.
  • IP Address — IP address of the computer where the collector is installed.
  • Collector IP Address — IP address of the collector.
  • Last Updated — The date and time the data was last updated.
  • DHCP Monitoring — Shows the status of DHCP monitoring. For example, Running or Stopped.
  • NXLog Monitoring — Shows the status of NXLog monitoring. For example, Running or Stopped.
  • Domain — The domain of the Windows log agent.
  • Status — Shows the status of the Windows log agent. Click the status to view more information. This can include:
    • Success — The collector is installed and receiving network data.
    • No Information — Could not report the status of the collector.
    • Offline — The collector is offline.
    • Error — The collector encountered an error. For more information, go to Troubleshoot Windows Log Agent Issues.

Before You Begin

You must install the WatchGuard Agent and ThreatSync+ NDR Collection Agent before you install the Windows Log Agent. Make sure you review the system requirements for the ThreatSync+ NDR Collection Agent for your environment.

To install and configure the WatchGuard Agent and ThreatSync+ NDR Collection Agent for Windows, go to Configure Collectors for ThreatSync+ NDR (Windows Computers).

To install and configure the WatchGuard Agent and ThreatSync+ NDR Collection Agent for Linux, go to Configure Collectors for ThreatSync+ NDR (Linux Computers).

Add a Windows Log Agent Collector

Add and configure the Windows Log Agent on all DHCP servers in your network.

After you add a server as a Windows Log Agent collector, make sure to configure your managed switches to send NetFlow data to the collector. For more information, go to the product documentation available with the switch.

To add a Windows Log Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync+ Integrations > Collectors.
  4. On the Windows Log Agent tab, click Add Collector.
    The Add Windows Log Agent page opens.

Screenshot of the Add Windows Log Agent page in ThreatSync+ NDR

  1. From the Host drop-down list, select the computer that you want to use as a Windows Log Agent.
    This list includes all servers with the WatchGuard Agent installed. To refresh the list of available computers and servers, click
  2. In the ThreatSync+ NDR Collection Agent IP Address text box, enter the IP address of the computer you configured the ThreatSync+ NDR Collection Agent for.
    You can view the IP address on the ThreatSync+ NDR Collection Agents tab.
  3. Click Save.
    The log agent begins to report data to ThreatSync+ NDR. You can view reported traffic information on the Network Summary page. For more information, go to About the ThreatSync+ Summary Page.
  4. (Optional) To add a new ThreatSync+ NDR Collection Agent, click Add ThreatSync+ NDR Collection Agent. For more information, go to Add a ThreatSync+ NDR Collection Agent for Windows or Add a ThreatSync+ NDR Collection Agent for Linux.

If you experience a power outage on the computer the agents are installed on, or if the computer reboots after updates are installed, make sure you restart the computer.

Edit a Windows Log Agent Collector

You can configure an existing Windows Log Agent to use with a ThreatSync+ NDR Collection Agent that you previously installed.

To configure an existing Windows Log Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync+ Integrations > Collectors.
  4. On the Windows Log Agents tab, next to the Windows Log Agent you want to edit, click The Options icon. Click Edit.
    The Edit Windows Log Agent page opens.

Screenshot of the Edit Windows Log Agent page

  1. In the ThreatSync+ NDR Collection Agent section, enter the IP address of a ThreatSync+ NDR Collection Agent.
  2. Click Save.
  3. (Optional) To add a new ThreatSync+ NDR Collection Agent, click Add ThreatSync+ NDR Collection Agent.

Delete a Windows Log Agent Collector

If you no longer want to use a specific Windows Log Agent Collector, you can delete it from the ThreatSync+ Integrations UI. When you delete the log agent from the UI, the WatchGuard Agent automatically uninstalls the log agent.

To delete a Windows Log Agent:

  1. Log in to your WatchGuard Cloud account.
  2. For Service Provider accounts, from Account Manager, select My Account.
  3. Select Configure > ThreatSync+ Integrations > Collectors.
  4. On the Windows Log Agents tab, select one or more collectors you want to delete.

Screenshot of the Collectors page, ThreatSync+ NDR Collections Agents tab that shows the Delete option when you select a collector to be deleted

  1. Click Delete.

If you want to delete the WatchGuard Agent along with the collectors, go to Delete the ThreatSync+ NDR Collection Agent for Windows or Delete the ThreatSync+ NDR Collection Agent for Linux.

Troubleshoot Windows Log Agent Issues

If reported traffic information does not show on the Network Summary page within 60 to 90 minutes, you can use the information in this section to troubleshoot.

To troubleshoot Windows Log Agent issues:

  • In Control Panel in Windows, confirm that the Windows Log Agent is installed.

  • Make sure that the Windows computer meets the requirements described in the Windows Log Agent System Requirements section. You can install the Windows Log Agent on Windows devices with Windows Server 2019 or Windows Server 2022 installed.
  • Make sure that the server can reach the ThreatSync+ NDR Collection agent through port 514. Make sure that no firewall rules block traffic from port 514.
  • Make sure that virtualization is enabled in the BIOS. These virtualization environments are verified:
Windows Log Agent Virtualization Environment Microsoft Windows Server 2019 Microsoft Windows Server 2022
VMware ESXi 6.7 Icon of check mark Icon of check mark
VMware ESXi 7.0.3 Icon of check mark  
VMware ESXi 8.0 Icon of check mark Icon of check mark
  • Confirm that the NXLog service is running (nxlog.exe). Review the NXLog files for errors (c:\Program Files\nxlog):
    • Review the *.conf, *.pm, *.log files and recurrent folders.
    • Review the %windir%\temp\WatchGuard_Log_Collection_Agent_**************.log
    • Review the %windir%\temp\WatchGuard_Log_Collection_Agent_**************_000_NXLog.log
    • Review the %windir%\temp\WatchGuard_Log_Collection_Agent\WatchGuard_Log_Collection_Agent**************_001_NXLogconf.log
  • Make sure that there is no previous installation of NXLog from another software vendor.
  • In WatchGuard Cloud, on the Configure > ThreatSync > ThreatSync+ NDR > Collectors page, review these columns in the Windows Log Agents table:
    • DHCP Monitoring — Shows the status of DHCP monitoring. For example, Running or Stopped.
    • NXLog Monitoring — Shows the status of NXLog monitoring. For example, Running or Stopped.
    • Status — Shows the status of the Windows Log Agents. Click the status for more information. For example, Error or Success.
  • You can view the WatchGuard Agent logs at /usr/local/management-agent/log for further troubleshooting.

Related Topics

About ThreatSync+ NDR Collectors

Configure Collectors for ThreatSync+ NDR (Windows Computers)

Configure Collectors for ThreatSync+ NDR (Linux Computers)

Quick Start — Set Up ThreatSync+ NDR