Collecting Windows System Logs

In USM Anywhere, you can centralize the collection and analysis of Microsoft Windows event logs from your servers or desktops, making it easier to track the health and security of these systems. While the LevelBlue Agent is ideal for most traditional end-user laptop or desktop environments, there are some situations for which alternative log collection options, such as NXLog, may be preferable. The following table compares some of the most common use cases between the LevelBlue Agent and NXLog.

LevelBlue Agent vs. NXLog Use Cases

Environmental Demands Recommended Option
If you need to monitor endpoints outside of the network or in remote locations where it would be impractical to deploy a sensor LevelBlue Agent
If you want the ability to query assets for additional forensic data as part of your investigation activities LevelBlue Agent
If you want the benefits of LevelBlue Labs actively monitoring endpoints with updated LevelBlue Labs rules, including active process and network activity information LevelBlue Agent
If you a need to restrict off-premise connections for endpoints NXLog
If you need complete control over agent configuration and filtering rules


If you have highly active servers that are required to maintain essential business functions where all or most of your resources are dedicated to the server NXLog

Using the LevelBlue Agent

The LevelBlue Agent provides simple installation, configuration, and management for host monitoring in USM Anywhere without requiring a lot of manual configuration and setup tasks of a third-party agent. When installing the agent on a Windows host, it communicates over an encrypted Cryptographic transformation of data into a form that conceals the data's original meaning to prevent it from being known or used. channel to send data directly to USM Anywhere. The agent installation script configures a default set of folders, files, and registries to automatically support file integrity monitoring (FIM). You can set the configuration profile to manage the queries that USM Anywhere runs for an asset associated with a deployed agent.

Using LevelBlue Agents is the best choice for monitoring endpoints outside of the network, in remote locations, or where deploying a sensor is impractical. Additionally, it provides the ability to query the asset An IP-addressable host, including but not limited to network devices, virtual servers, and physical servers. for additional forensic data as part of your investigation activities. See The LevelBlue Agent for more information about the LevelBlue Agent and how you can use it to simplify your endpoint detection and response (EDR), FIM, and rich endpoint telemetry capabilities.

Using NXLog

You can use NXLog to collect and forward Windows events to a USM Anywhere Sensor. NXLog is a universal log collection and forwarding agent for basic Windows event logs. But it's also useful in its own right for suppressing spurious events.

This is the best choice when you need complete control over agent configuration and filtering rules or must restrict cloud connections for the endpoint. There are two ways you can implement NXLog and integrate it with USM Anywhere to collect and forward events from your Windows systems:

Note: NXLog provides an open source version and a paid, enterprise version. The USM Anywhere Sensor integration using the Windows Event Collector app is based on the enterprise version. And the custom configuration method is based on the open-source Community Edition.