The options to onboard Microsoft Windows OS devices to MSS service are listed below.
NXLog Community Edition Windows Agent - The NXLog Community Edition Windows agent can be downloaded and used free of charge with no license costs or limitations. NXLog Community Edition is high performance and low overhead solution that supports all currently supported versions of Microsoft Windows Server, and is being maintained and enhanced by an active community. An MSI package for Windows systems, as well as the product documentation, is available on the NXLog Community Edition project's web site: http://nxlog.org/products/nxlog-community-edition
Intersect Alliance (Snare Agent Open Source) - Intersect Alliance has recently started advising users of the popular Snare for Windows Open Source agent that it is now "end of life" and no longer being maintained to support current versions of the Windows operating system, and that it cannot be relied upon to meet various compliance requirements. MSS customers currently using the Snare for Windows Open Source agent may be approached by Intersect Alliance and advised to purchase licensing for their Snare for Windows Enterprise Edition and migrate to that solution, which is actively maintained and supported by the company.
Customers that are not currently using the Snare for Windows Open Source agent are strongly discouraged from selecting this as their Windows event logging solution for use with MSS, and are advised to consider use of one of the alternative Windows event logging solutions that MSS supports. If a customer would prefer a free/Open Source solution to facilitate Windows Event log monitoring, the NXLog Community Edition Windows agent is the supported alternative.
Customers currently using the Snare for Windows Open Source agent should be advised to consider migrating to an alternative solution supported by MSS, including the NXLog Community Edition Windows agent if they prefer a free/Open Source replacement for the Snare for Windows Open Source agent. Customers will continue to benefit from the Windows security monitoring services currently provided by MSS while still using the Snare for Windows Open Source agent as they plan for their migration.
Intersect Alliance (Snare Agent Enterprise) - The Enterprise version of the Snare agent requires the purchase of an appropriate license from Intersect Alliance but is fully supported on all current versions of Microsoft Windows server and can be used to forward Windows server logs to the LCP in syslog format.
Windows Remote Management (WinRM) - Use of WinRM for Windows log collection requires customers to enable the WinRM service on their servers but there is no additional license cost associated with this collection method; logs are pulled directly from the server using a Windows username and password. This method of log collection can be resource intensive and apply additional load on the servers logs are collected from, and on the LCP when large numbers of servers are involved; for >60 servers it may be necessary to distribute collection across additional LCP's or to deploy WinRM collectors 'Off-Box' hosted by LCP Event Agents.
Windows Event Forwarding - Is a feature of WinRM and can be configured to forward Windows logs from multiple servers to a single server which in turn could be configured with an agent such as Snare or syslog-ng to forward the logs to the LCP thus reducing the number of Snare or syslog-ng licenses required for purchase.
Microsoft ACS (Audit Collection Services) via (SCOM) - Windows logs can be collected by pulling logs from a Microsoft System Centre Operations Manager (SCOM) server database if a customer is using Microsoft Audit Collection Service (ACS). ACS is used to collect logs generated by an audit policy and store them in a centralized database so only logs collected by the ACS policy will be available for collection, these logs are limited only to Security logs; no other logs will be collected by ACS.
BalaBit (syslog-ng PE) - BalaBit syslog-ng Premium Edition (PE) can be used to forward Windows server logs to the LCP in syslog format this agent requires the purchase of an appropriate license from BalaBit.
Splunk - Microsoft Windows event logs originating from a Splunk Universal Forwarder for Windows can be collected via a Splunk Heavy Forwarder in syslog format, the Heavy Forwarder must be configured to stream Windows logs to the LCP.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.