Automatic Migration

Starting with version 3.11, there is an now option to automatically migrate your deprecated WES agent to the current version of the Orchestrator. Go to What to look out for when migrating to the new Agent? to learn how.

Migration will attempt following:

Download the newest Orchestrator version from Logmanager.
Register a new Orchestrator agent (UUID of WES agent will be reused).
Migrate the WES agent config (Event sources, log files, tags).
Uninstall the WES agent.

If the Orchestrator, during migration, will encounter any issues it will attempt to revert back to original WES agent. After reverting, the WES agent service will be STOPPED to avoid getting stuck in an endless update loop. If such a situation occurs: disable migration in Sources > Windows Setting (legacy), fix the issues reported by your agent and then attempt the migration again. All migration logs can be found in Event Viewer > Windows Logs > Application. Look for logs from sources named Logmanager WES Migrator and Logmanager WES Handler.

What to look out for when migrating to the new Agent?

If you are collecting specific logs using the WES agent (legacy) and you are about to migrate to the new Logmanager Beat Agent, please check the documentation for each source you are collecting. We are continually updating - with the migration to the Beat Agent, configuration intervention may be required.

Below we add links to documentation that we have updated for the migration, which we consider important. You should read thoroughly the new related Logmanager Beat Agent documentation, which can be found on the main documentation page.

Microsoft Windows IIS - Pay attention to the list of fields you send to Logmanager.
Microsoft Exchange - Easier collection of transport logs from Microsoft Exchange.
Beats agents - Be careful with DHCP and in general with case-sensitive fonts in the log file path.
Veeam Backup & Replication - It`s required to modify the classification for logs/events from Veeam.

Running the migration process

Go to Sources > Windows Setting (legacy).
Enable Automatically migrate agent to orchestrator (before update to LM version 3.11 this button was named Agent autoupdate).
During next status update WES Agent will attempt migration to Orchestrator. Event sources, log files and tag settings will be perserved.

After updating to LM version 3.11, the WES auto updates will be disabled! This is because we changed the WES auto update behviour so that it now starts a migration to Orchestrator. To avoid running this process without your consent we disabled this option. You need to manually change it to Enabled if you want to run migration.

WES filters will not be migrated due to Backwards Compatibility break introduced by Beats. If you are using any specific filters for your Windows Events you will need to manually recreate them!

After migration, the Windows endpoint where migration was run will be logging its hostname in lowercase, as opposed to UPPERCASE in WES. This is due to a different hostname source in Orchestrator (FQDN rather than NetBIOS name). This may cause issues with custom Classification/Parsing/Alerting/Dashboards so make sure to check all logic in which you are using WES agents hostnames and adjust it accordingly.

Using Wildcard (*) in the file path will make it case-sensitive! This is because full-paths (for example: c:\tmp\test.log) are resolved directly via the Windows file-system which by default is case-insensitive, while glob-paths (for example: c:\tmp\*.log) are resolved via Go which makes it case-sensitive. Previously in WES agent this wasn’t the case, so make sure log files you want to collect have correct paths after migration.