Documentation Center
AlienVault® USM Anywhere™

Collecting Windows System Logs

In USM Anywhere, you can centralize the collection and analysis of Windows event logs from your servers or desktops, making it easier to track the health and security of these systems.

Note: With the addition of the AlienVault Agent, USM Anywhere provides an easier implementation of HIDS, FIM, and endpoint log collection across your Windows environments in the cloud and on premises. If you already have NXLog installed and configured on your endpoints to forward events to a USM Anywhere Sensor, this method is still supported and you do not need to replace it.

Using the AlienVault Agent

The AlienVault Agent provides simple installation, configuration, and management for host monitoring in USM Anywhere without requiring a lot of manual configuration and setup tasks of a third-party agent. When you install the AlienVault Agent on a Windows host, it communicates over an encryptedCryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere. The agent installation script configures a default set of folders, files, and registries to automatically support file integrity monitoring. You can set the configuration profile to manage the queries that USM Anywhere runs for an asset associated with a deployed agent.

This is the best choice for monitoring endpoints outside of the network or in remote locations or where deploying a sensor is impractical. Additionally, it provides the ability to query the assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. for additional forensic data as part of your investigation activities. For more information about the AlienVault Agent and how you can use it to simplify your endpoint detection and response (EDR), file integrity monitoring (FIM), and rich endpoint telemetry capabilities, see The AlienVault Agent.

Using the NXLog Agent

You can use NXLog to collect and forward Windows events to a USM Anywhere Sensor. NXLog is a universal log collection and forwarding agent for basic Windows event logs. But, it's also useful in its own right for suppressing spurious events.

This is the best choice when you need complete control over agent configuration and filtering rules or must restrict cloud connections for the endpoint. There are two ways you can implement NXLog and integrate it with USM Anywhere to collect and forward events from your Windows systems.

  • Install and configure NXLog CE across your Windows hosts to use custom NXLog configurations to capture non-Windows events on your end servers and forward logs to your USM Anywhere Sensor.
  • Use the Windows Event Collector sensor app to manage the NXLog subscription used to forward your Windows logs directly to a deployed USM Anywhere Sensor. When you use this method, the Sensor acts as the collector and the Windows host will forward the logs directly to the Sensor using a private IP address, not over the public Internet.

Note: NXLog provides an open source version and a paid, enterprise version. The USM Anywhere Sensor integration using the Windows Event Collector app is based on the enterprise version. And the custom configuration method is based on the open source Community Edition.