AlienVault® USM Anywhere™

Use Windows Server as an NXLog Central Collector

You can choose an implementation where you set up each Microsoft Windows source machine to forward its events to a subscribing server that acts as a collector. In this scenario, the collector server acts as a central repository for Windows logs from other servers in the network. With this method, you must set up Windows Event Forwarding (WEF) on each Windows source.

Using Windows Server as a means of collecting Windows event logs is intended for use in these USM Anywhere environments:

  • On-premises (VMware or Hyper-V Sensors)
  • Amazon Web Service (AWS), where the Windows source machines are deployed within one of the following configurations:

    • The Windows source machines, the NXLog agent server, and USM Anywhere Sensor are located in the same Amazon Virtual Private Cloud (VPC).
    • The Windows source machines, the NXLog agent server, and USM Anywhere Sensor are not located in the same Amazon VPC, but you have VPC peering configured to allow the NXLog server to communicate with the sensor using UDP port 514.
  • Azure, where the Windows source machines, the NXLog agent server, and USM Anywhere Sensor are located in the same virtual network.

    Important: Because it does not require that you set up log forwarding on each source, the easiest and most straightforward method for Windows log collection in an Azure environment is to collect the Windows security events from the Azure storage table. However, if you need the additional logs forwarded by NXLog, you can use the following information to configure Windows log collection for this environment.

To set up your Windows Server to collect NXLogs, you need to perform the following two tasks: