To receive events from transports other than syslog, the commercial version of RuSIEM and RvSIEM free for free use agents for Windows.
Agents are installed as a Windows service, managed via the web server of the management server, and allow collecting events both locally and simultaneously from several remote sources using an agentless method. That is, you install the agent on one of the servers and this agent collects from hundreds of other Windows, MS SQL / Mysql / Oracle / file servers on which the agent is not installed.
By the number of agents is not licensed, they can be any number. For mobile devices (laptops) agent installation is recommended locally. In this case, when there is no connection, the agent will collect events into its local database, rotated depending on the free space on the disk in order to avoid losing events during rotation or actions of the attacker. And if there is a connection with the server, the events will be transmitted to it.
WMI transport (outdated) and EVT (starting with Windows 7, faster and stable) are used to collect Windows event logs remotely in an agentless way.
The agent has universal transports that allow collecting events from:
- Windows event log (absolutely any journals)
- Checkpoint LEA
- Cisco SDEE
- File logs
- Logs on ftp servers
- Hash logs (running processes and sha1/md5/sha256)
- Logs on Mysql/Oracle/MS SQL in tables or views
- WMI logs
- Installed Software and Patch Information
- Information on open ports and their processes
Automatic agent installation
The agent can be deployed from the .msi distribution kit locally or automatically on multiple devices by another controlling agent.
For example, you install one controlling agent on one of the servers, specify the agent installation parameters in the Sources -> Remote Installation section of the web interface, and the agent will automatically install agents and monitor their performance. In case of failure of any controlled agent - his work will be automatically restored by the controlling agent.
It is possible to specify either one host for the installation of the agent, or to add through the list in bulk.
Agent Distribution and Update
The current agent distribution for 32/64 bit platforms can be downloaded in the Sources section in the upper right corner. The distribution is downloaded directly from the management server installed in your company. Updating the distribution kit on the server is performed along with updating the rusiem-web package for the commercial and free versions.
Updating the distribution kit of an already installed agent and its modules is performed automatically when updating components on the management server. The update can be disabled for individual agents through the web interface of the management server.
Channel shaping between agent and server
For agents, you can set bandwidth parameters that limit the transmission speed on weak communication channels depending on the time and day of the week.
Backup server for agents
The agent supports two servers to send events. Primary and backup. In case of inaccessibility of the main server - transfer is carried out to the backup. When restoring the main one, the transfer to it is resumed.
The backup server for the agent is set globally for the agents in the Settings web interface and can be overridden in the Sources section individually for the agent.
Agent management server
There can be only one agent management server. The agent polls the management server using the https protocol, logs in to the management server and receives the collection parameters, agent settings and transfer parameters from it. It is possible to change the managing server:
- editing the agent configuration section C:\Program Files\Rusiem\LogAgent.config - <add key="AdminUrl" value="https://172.16.0.124/api/v1/remote/encrypt/agent" />, where 172.16.0.124 - ip of the management server
- using the utility RuSIEM Agent Replicator, which allows you to remotely install, remove and manage agents
- when installing "custom" msi package
- in the Sources -> Remote Installation section of the web interface on the controlling agent
Канал связи между агентом и сервером
The agent transmits events to the primary / backup server via tcp / 3515 in encrypted form. Encryption options are individual for each agent.
Servers to which the agent sends events may be different from the managing server.
Assign collection sources for agents
The assignment of collection sources for agents and their management is carried out directly from the web interface.
After installing the agent, it connects to the specified in the settings of the management server, it is registered on it with a unique identifier. By default, in the case of manual installation, no collection sources have been assigned to the agent.
NAT and DHCP support
When connecting to the management server, the agent receives a unique identifier and authenticating parameters. All further work with the agent is carried out regardless of the IP address of the agent, the name of its host. In this case, the agent may be for NAT.
Local agent database
The agent contains its own built-in database with data encryption as part of the distribution package. No need to install and purchase third-party databases and licenses.
The built-in database serves as an intermediary for saving events in order to avoid their loss in case of a connection with the server.
In order to avoid disk overflow, there are rotation parameters that can be changed individually for each agent. By default, in case of remaining free disk space, 15% - the agent sends a warning to the server (and an incident is recorded in the commercial version of RuSIEM according to the correlation rule). And in the case of a balance of 12% or less, rotation is turned on (old events are overwritten). Rotation mode is designed for mobile devices in case of a long absence of connection to the event sending server.