Set up automatic agent enrollment
To auto enroll agents, start by creating a rule and then let NXLog Platform automatically enroll the matching agents when they connect.
Prerequisites
NXLog Platform can only auto enroll NXLog Agent if it is installed and its managed.conf file contains the configuration for the initial contact.
We recommend using a centralized management tool to deploy the agents and configure their managed.conf file.
Adding an auto-enroll rule
To enable auto enroll for a particular type of host, you need to add an auto-enroll rule that matches one or more host properties like the hostname or IP address.
Follow these steps to add an auto-enroll rule:
-
Navigate to Agents > Auto enroll.
-
Click Add Rule.
The new empty rule appears at the bottom of the list with the lowest priority.
-
Fill in the rule details:
-
In the Selector field, type the expression that matches the hosts to auto enroll. See Rule selector examples to learn how to write selectors.
-
Enter a Filter name to identify the rule, such as All Windows hosts.
Filter names don’t need to be unique but we recommend choosing wording that allows you to easily tell rules apart.
-
In the Comment field, enter an optional description of the rule.
-
-
Optionally, click Select template to assign a template to the auto-enrolled agent.
-
Consider changing the rule’s priority by rearranging it on the Auto enroll view. Lower number and higher position on the list denotes higher priority. Use the rule handle to drag the rule to its new position.
-
Click Save.
Note that this action saves changes made to all rules.
After saving the rule, you can start the agents that you want to auto enroll. NXLog Platform attempts to auto enroll them when they connect for the first time or on every reconnection after that as long as the agent is not enrolled.
Rule selector examples
You can test one or more agent properties in a rule selector to match a subset of agents. NXLog Agent sends some of these properties when connecting, while NXLog Platform adds others.
Note that all examples below include the enrolled = false expression, which ensures that the rule will not be reapplied to enrolled agents.
Although the Auto enroll feature never includes enrolled agents when matching rules, manually running the enroll-by-rules API endpoint targets all agents and matches all rules, including auto-enroll rules, unless you apply a filter.
We recommend to always add the expression to your selectors to prevent unwanted configuration changes whether or not you are currently using the API.
|
The following selector compares the agent machine’s hostname to a fixed value using the equality (=) operator.
This selector matches either a single host, or multiple hosts if the same hostname is available in multiple domains.
hostname = fedora03 AND enrolled = falseHowever, comparing the hostname to a single value is not always useful.
Assume your organization encodes the OS type in the hostname, such as WIN-4S38UE5G81L.
In cases where you want to define a partial match, you can use the LIKE operator with the % wildcard.
For example, the following selector matches all hostnames that start with WIN-:
hostname LIKE WIN-% AND enrolled = falseAnother way to match multiple hostnames is through the use of regular expressions.
The REGEX operator accepts a Rust-style regular expression.
The following selector matches agents whose hostname is in the <8-character username><YYYY> format, such as JMSMITH2024:
hostname REGEX "(?i)[a-z]{8}(?-i)\d{4}" AND enrolled = falseYou can define multiple properties in a single selector.
The following example uses the AND operator, which means both property values must match to auto enroll the agent.
hostname LIKE fedora AND os-release="Fedora Linux 39 (Workstation Edition)" AND enrolled = falseThe address property contains the IP address of the agent.
To aid the auto enrolling of multiple agents by IP, it supports testing against network values in CIDR format in addition to a single IP address.
The following selector matches agents with IPs in the 172.16.120.1 to 172.16.123.254 range.
address = 172.16.120.0/22 AND enrolled = falseThe following selector uses the inequality operator to match any IP address that is NOT 172.16.120.1 at port 8081.
address != 172.16.120.1:8081 AND enrolled = false