SparkLogs Agent Overview
Historically, gathering logs and system health signals from systems is a time-consuming, error-prone, manual process. Legacy log collectors are complex, require intricate configuration and ongoing maintenance, and can be resource-intensive.
The SparkLogs Agent solves these issues by automatically collecting all relevant logs and system health signals from endpoints and servers. The agent does not require configuration. Instead, it automatically identifies both operating system and available 3rd-party application logs, and also directly collects dozens of system health metrics and indicators every few minutes. It performs sophisticated local analysis to mark notable events and changes in system health.
This enables you to focus on solving technical problems faster with comprehensive data, rather than manually configuring and maintaining log collectors.
The agent is lightweight (<15MB full download), resource-efficient (<100 MB RSS), cloud-managed, self-updating, and easy to deploy and manage. It automatically detects available log sources and system health signals, and collects, analyzes, and ships them to the cloud automatically. The SparkLogs cloud then indexes, stores, and analyzes the data for you through AutoExtract and AutoClassify. Thus with zero configuration and zero ongoing management, you gain deep visibility into the current and historical health of your systems and applications.
You deploy the agent with a registration token, and roll it out across a fleet from your RMM or via GPO or Intune. As a managed agent, it receives and verifies signed automatic updates and is managed centrally, so you do not patch or configure each endpoint by hand.
SparkLogs Agent vs Ingest Keys
There are two ways to get data in. Pick by how you run your systems:
- Use the SparkLogs Agent for endpoints you manage (servers, workstations) and for MSP fleets. SparkLogs keeps the agent software up to date, and in client-org mode it will auto-creates a per-client organization for each endpoint.
- Use an Ingest Key when you already run a log collector (OpenTelemetry, Vector, Fluent Bit, Logstash, Beats, Grafana Alloy) or ship logs via an SDK or API.
Security Highlights
The agent has no inbound ports and no remote-execution path. It's written in pure Rust, ships with two signature chains (Authenticode plus TUF-staged updates), uses a per-agent credential with clone detection, requires no inbound ports, and has no remote-execution capabilities.
See Agent security and the Trust Center agent section for the full model.
Supported Platforms
Windows
Officially supported:
- Windows 10 or later (x64)
- Windows Server 2016 or later (x64)
- Windows Server Core 2016 or later (x64)
Unofficially supported:
- Windows 8.1 or later (x64)
- Windows Server 2012 R2 or later (x64)
- The agent will install and run on these platforms, but non-core functionality may vary based on what the system can support. For security, outbound HTTPS requires TLS 1.2 (or better). On Windows 8.1 and 2012 R2, Schannel enables TLS 1.2 by default, but customized or lightly patched hosts may need Windows updates or policy changes. See Microsoft's Enable TLS 1.2 on clients and Schannel protocol defaults by OS version.
Not supported but may be supported in the future:
- x86 (32-bit) versions of Windows
- ARM64 versions of Windows
- Contact us if you'd like to see this supported so we can prioritize based on demand
Not supported and no plans to support:
- Versions of Windows older than Windows 8.1 or Windows Server 2012 R2.
macOS and Linux
An official SparkLogs Agent for macOS and Linux is on the roadmap. Before it's released, you can ingest data from these systems right now using an Ingest Key and an open source log collector of your choice.
Other environments
You can ingest data from many other environments using an Ingest Key combined with supported open source log shippers that send data through our many supported protocols. This includes syslog (e.g., firewall logs), Azure Functions, OpenTelemetry, and the dozens of sources provided by Vector and the OpenTelemetry Collector.