AlienVault® USM Anywhere™

Collecting Windows System Logs

In USM Anywhere, you can centralize the collection and analysis of Microsoft Windows event logs from your servers or desktops, making it easier to track the health and security of these systems. While the AlienVault Agent is ideal for most traditional user-end laptop or desktop environments, there are some situations for which alternative log collection options, such as NXLog, may be preferable. The table below compares some of the more common use cases between the AlienVault Agent and NXLog.

AlienVault Agent vs. NXLog Use Cases

Environmental Demands Recommended Option
If you need to monitor endpoints outside of the network or in remote locations where it would be impractical to deploy a sensor AlienVault Agent
If you want the ability to query assets for additional forensic data as part of your investigation activities AlienVault Agent
If you want the benefits of AT&T Alien Labs actively monitoring endpoints with updated Alien Lab rules, including active process and network activity information AlienVault Agent
If you a need to restrict off-premise connections for endpoints NXLog
If you need complete control over agent configuration and filtering rules

NXLog

If you have highly active servers that are required to maintain essential business functions where all or most of your resources are dedicated to the server NXLog

Using the AlienVault Agent

The AlienVault Agent provides simple installation, configuration, and management for host monitoring in USM Anywhere without requiring a lot of manual configuration and setup tasks of a third-party agent. When you install the agent on a Windows host, it communicates over an encryptedCryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere. The agent installation script configures a default set of folders, files, and registries to automatically support file integrity monitoring (FIM). You can set the configuration profile to manage the queries that USM Anywhere runs for an asset associated with a deployed agent.

Using AlienVault Agents is the best choice for monitoring endpoints outside of the network or in remote locations or where deploying a sensor is impractical. Additionally, it provides the ability to query the assetAn IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. for additional forensic data as part of your investigation activities. See The AlienVault Agent for more information about the AlienVault Agent and how you can use it to simplify your endpoint detection and response (EDR), FIM, and rich endpoint telemetry capabilities.

Using NXLog

You can use NXLog to collect and forward Windows events to a USM Anywhere Sensor. NXLog is a universal log collection and forwarding agent for basic Windows event logs. But, it's also useful in its own right for suppressing spurious events.

This is the best choice when you need complete control over agent configuration and filtering rules or must restrict cloud connections for the endpoint. There are two ways you can implement NXLog and integrate it with USM Anywhere to collect and forward events from your Windows systems:

  • Install and configure NXLog CE across your Windows hosts to use custom NXLog configurations to capture non-Windows events on your end servers and forward logs to your USM Anywhere Sensor.
  • Use the Windows Event Collector sensor app to manage the NXLog subscription used to forward your Windows logs directly to a deployed USM Anywhere Sensor. When you use this method, the sensor acts as the collector and the Windows host will forward the logs directly to the sensor using a private IP address, not over the public Internet.

Note: NXLog provides an open source version and a paid, enterprise version. The USM Anywhere Sensor integration using the Windows Event Collector app is based on the enterprise version. And the custom configuration method is based on the open source Community Edition.