We currently have all of our non-windows devices send to kiwi, then forward to LEM in remote locations. Is it possible to do something similar with windows servers leveraging something like nxlog or Solarwinds event log forwarder?
th
The Appliance > Connectors does not include a Windows Event log connector defined and therefore LEM will not support this reception method.
The agents are 'currently' used but there is a roadmap item to support collection of Windows event logs without the use of agents:
You may be able to use the windows centralization of event logs to accomplish this while the LEM team continues their work on native agentless collection. This piggybacks on winrm/windows remote management to forward events to a central windows event log server that you'd then have the LEM agent on. I'd test this with a couple of systems first to make sure that all the data gets reported correctly.
Configure Computers to Forward and Collect Events
How to configure Windows Event Log Forwarding
You will be missing the ability to do active responses or USB device monitoring/protection without an agent (which is historically why LEM does not have an agentless collection method, not to mention agents have wavered from "no big deal" to "please god, no more agents" and back again over the course of time ).
This looks interesting, i will test it out. The only issue i foresee is that LEM will see all events as coming from one system.
The detection IP should stay the same regardless of it being forwarded.
Yeah, I think your biggest risk are things like events where the SIDs/GUIDs get posted into the event, and those SIDs/GUIDs need to be translated on the local system for them to come across as full account names and not raw SIDs/GUIDs. The event log reader that LEM uses now locally does this translation in real time.
I would test change events on the remote system (the forward-ee) by both local and domain users, then login/failures from local and domain users, then file and object audit events from local and domain users. That'll cover a large swath of risky events. It would (edit: BE A BIG BUMMER) to get something that said someone was added to local admins or a file was deleted and then have to figure out how to translate a GUID/SID later...
