We changed our name from IT Central Station: Here's why

How to deploy SIEM agents in large scale Windows environments?

Hi community, 

What is the best way to deploy agents/sensors (such as a SIEM agent) in large-scale Windows environments? 

Any hands-on tips or recommendations?

Thank you. 

ITCS user
22 Answers

author avatar
Top 5Real User

Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.  

We use NXLOG at Securonix. 

I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.

WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.

Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process. 

You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor). 

Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.

author avatar
Top 5LeaderboardReal User

Some products permit generating a native .MSI package. Sometimes, you can use PowerShell for connecting and installing packs in your environment.

Not-trivial: using a secondary tool (an administrative tool, iLo/iDRAC, PHP, expect, ssh-win, ...) is available or built-in over assets.


Find out what your peers are saying about Splunk, IBM, Devo and others in Security Information and Event Management (SIEM). Updated: January 2022.
563,148 professionals have used our research since 2012.