Documentation Center
AlienVault® USM Anywhere™

Windows Event Collector Setup

To use the Windows Event Collector (WEC) Sensor App, you need to download the certificate from USM Anywhere and install it to the Windows Server machines on the network that will be forwarding the event logs. A PowerShell script for the installation is linked below, but you can use the Windows Event Collector Manual Certificate Installation method if you need to install the certificate on an Active Directory domain controller.

Download the Certificate

The Windows Server needs a certificate to establish a trusted connection between the USM Anywhere Sensor (collector) and Windows instances (clients). This certificate is available to download as a USM-NXLog-client.pfx file from USM Anywhere when you enable the WEC Sensor.

To download the certificate for the WEC Sensor

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the Sensor Apps tab.
  3. In the left navigation list, click Windows Event Collector.
  4. Click the Sensor dropdown list and select the deployed USM Anywhere Sensor you want the app to be installed on. If you have more than one deployed USM Anywhere Sensor, choose the Sensor that is deployed in the same network as the Windows Server and client systems where you plan to configure a subscription and log forwarding to USM Anywhere.
  5. In the Status tab, click the Download NXLog Certificates link and save the certificate.

Install and Configure the Certificate on the Windows Server

AlienVault provides a PowerShell installer script that you can use to automatically install the certificates. However, if you need to manually perform the installation, you can follow the Windows Event Collector Manual Certificate Installation to install the certificate on your Windows Server.

Using the Certificate Installer Script

The Certificate Installer script is the easiest method for installing the NXLog certificates on your Windows Server so that you can configure Windows event forwarding for a USM Anywhere Sensor.

To use the installer script

  1. In USM Anywhere, go to Data Sources > Integrations.
  2. Click the Sensor Apps tab.
  3. In the left navigation list, click Windows Event Collector
  4. Open the Status tab and click the Download the NXLog Certificate Installer link.
  5. On the Windows Server, execute the script from a PowerShell terminal.

  6. At the dialog box prompt, select the certificate file.
  7. The script automatically asks to remove the previous certificates in the case of an earlier USM Anywhere NXLog installation.

    It is recommended that you remove the previous certificates to avoid potential conflicts.

When the installation is complete, the terminal window displays a confirmation and provides information about next steps to set up event forwarding. This is a summary of the information provided in Windows Event Collector Setup.