2021-08-24T12:06:00Z

How to deploy SIEM agents in large scale Windows environments?

CC
  • 1
  • 307
PeerSpot user
2

2 Answers

Real User
2021-08-27T19:39:31Z
Aug 27, 2021

Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.  


We use NXLOG at Securonix. 


I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.


WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.


Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process. 


You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor). 


Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.

Search for a product comparison in Security Information and Event Management (SIEM)
Jairo Willian Pereira - PeerSpot reviewer
Real User
Top 5
2021-08-26T12:55:27Z
Aug 26, 2021

Some products permit generating a native .MSI package. Sometimes, you can use PowerShell for connecting and installing packs in your environment.


Not-trivial: using a secondary tool (an administrative tool, iLo/iDRAC, PHP, expect, ssh-win, ...) is available or built-in over assets.


https://docs.microsoft.com/en-...

Find out what your peers are saying about Microsoft, Splunk, Wazuh and others in Security Information and Event Management (SIEM). Updated: March 2024.
765,234 professionals have used our research since 2012.
Security Information and Event Management (SIEM)
A Security Information and Event Management (SIEM) system gives security managers a holistic overview of multiple security systems.
Download Security Information and Event Management (SIEM) ReportRead more

Related Q&As

Security Information and Event Management (SIEM) experts

Prateek Agarwal - PeerSpot reviewer
Nagendra Nekkala. - PeerSpot reviewer
Olajide Olusegun - PeerSpot reviewer
Nagendra Nekkala - PeerSpot reviewer
Shashank N - PeerSpot reviewer
Shaamil Ashraff - PeerSpot reviewer
Derrick Brockel - PeerSpot reviewer
JA