Microsoft Windows Event Collector Sensor App Setup

To use the Windows Event Collector (WEC) sensor app, you need to download the certificate from USM Anywhere and install it to the Microsoft Windows Server machines on the network that will be forwarding the event logs. A PowerShell script for the installation is linked below, but you can use the Windows Event Collector Sensor App Manual Certificate Installation method if you need to install the certificate on an Active Directory (AD) domain controller.

Note: See your vendor's documentation for headless deployments or more advanced configurations.

Download the Certificate

The Windows Server needs a certificate to establish a trusted connection between the USM Anywhere Sensor (collector) and Windows instances (sender). This certificate is available to download as a USM-NXLog-client.pfx file from USM Anywhere when you enable the WEC sensor app.

To download the certificate for the WEC sensor app

  1. In USM Anywhere, go to Data Sources > Sensors.
  2. Click the Sensor Apps tab.
  3. In the left navigation list, click Windows Event Collector.
  4. Click the Sensor drop-down list and select the deployed USM Anywhere Sensor you want the app to be installed on.

    If you have more than one deployed USM Anywhere Sensor, choose the sensor that is deployed in the same network as the Windows Server and client systems where you plan to configure a subscription and log forwarding to USM Anywhere.

  5. In the Status tab, click the Download NXLog Certificates link and save the certificate.

    Download NXLog Certificates on the Windows Event Collector page

Install and Configure the Certificate on the Windows Server

AT&T Cybersecurity provides a PowerShell installer script that you can use to automatically install the certificates. However, if you need to manually perform the installation, you can follow the Windows Event Collector Sensor App Manual Certificate Installation to install the certificate on your Windows Server.

Using the Certificate Installer Script

The PowerShell installer script is the easiest method for installing the NXLog certificates on your Windows Server so that you can configure Windows event forwarding for a USM Anywhere Sensor.

To use the installer script

  1. In USM Anywhere, go to Data Sources > Sensors.
  2. Click the Sensor Apps tab.
  3. In the left navigation list, click Windows Event Collector
  4. Click the Status tab and then the Download the NXLog Certificate Installer link.
  5. On the Windows Server, execute the script from a PowerShell terminal.
  6. At the dialog box prompt, select the certificate file.

    The script automatically asks to remove the previous certificates in the case of an earlier USM Anywhere NXLog installation. AT&T Cybersecurity recommends that you remove the previous certificates to avoid potential conflicts.

When the installation is complete, the terminal window displays a confirmation and provides information about next steps to set up event forwarding.