In USM Anywhere, you can centralize the collection and analysis of Microsoft Windows event logs from your servers or desktops, making it easier to track the health and security of these systems. While the LevelBlue Agent is ideal for most traditional end-user laptop or desktop environments, there are some situations for which alternative log collection options, such as NXLog, may be preferable. The following table compares some of the most common use cases between the LevelBlue Agent and NXLog.
| Environmental Demands | Recommended Option |
|---|---|
| If you need to monitor endpoints outside of the network or in remote locations where it would be impractical to deploy a sensor | LevelBlue Agent |
| If you want the ability to query assets for additional forensic data as part of your investigation activities | LevelBlue Agent |
| If you want the benefits of LevelBlue Labs actively monitoring endpoints with updated LevelBlue Labs rules, including active process and network activity information | LevelBlue Agent |
| If you a need to restrict off-premise connections for endpoints | NXLog |
| If you need complete control over agent configuration and filtering rules |
NXLog |
| If you have highly active servers that are required to maintain essential business functions where all or most of your resources are dedicated to the server | NXLog |
Using the LevelBlue Agent
The LevelBlue Agent provides simple installation, configuration, and management for host monitoring in USM Anywhere without requiring a lot of manual configuration and setup tasks of a third-party agent. When installing the agent on a Windows host, it communicates over an encrypted Cryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere. The agent installation script configures a default set of folders, files, and registries to automatically support file integrity monitoring (FIM). You can set the configuration profile to manage the queries that USM Anywhere runs for an asset associated with a deployed agent.
Using LevelBlue Agents is the best choice for monitoring endpoints outside of the network, in remote locations, or where deploying a sensor is impractical. Additionally, it provides the ability to query the asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. for additional forensic data as part of your investigation activities. See The LevelBlue Agent for more information about the LevelBlue Agent and how you can use it to simplify your endpoint detection and response (EDR), FIM, and rich endpoint telemetry capabilities.
Using NXLog
You can use NXLog to collect and forward Windows events to a USM Anywhere Sensor. NXLog is a universal log collection and forwarding agent for basic Windows event logs. But it's also useful in its own right for suppressing spurious events.
This is the best choice when you need complete control over agent configuration and filtering rules or must restrict cloud connections for the endpoint. There are two ways you can implement NXLog and integrate it with USM Anywhere to collect and forward events from your Windows systems:
- Install and configure NXLog Community Edition (CE) across your Windows hosts to capture events on your end servers and forward them to your USM Anywhere Sensor.
-
Use the Windows Event Collector sensor app to manage the NXLog subscription and forward your Windows logs directly to a deployed USM Anywhere Sensor. When you use this method, the sensor acts as the collector and the Windows host will forward the logs directly to the sensor using a private IP address, not over the public Internet.
Note: NXLog provides an open source version and a paid, enterprise version. The USM Anywhere Sensor integration using the Windows Event Collector app is based on the enterprise version. And the custom configuration method is based on the open-source Community Edition.
Feedback