Documentation forSecurity Event Manager

About the SEM Agent

The SEM Agent is installed on workstations, servers, and other network devices. The agent collects and normalizes log data in real time before it is sent to the SEM Manager. By default, the agent also collects security data (such as Windows application, Windows system, and Windows security event logs) and transmits that data over TCP to the SEM Manager.

The Windows Security connector tracks 100% of the event logs by default. This is because the Windows application and Windows system logs can also receive other application logs, such as antivirus logs. In this example, logging is not enabled by default and must be configured.

For example, if you are running McAfee Antivirus (which may write to the Windows Application log), the Windows Application connector will not read these events. Instead, the McAfee connector will read and normalize these events because they are vendor specific and not a Windows log event. This method also applies to Printer logging, Internet Information Services (IIS) logging, Windows Server Update Services (WSUS) logging, and so on.

The SEM agent creates a small footprint on the device and prevents log tampering during data collection and transmission. You can also use the SEM agent with devices that support syslog. The agent transmits syslog messages over TCP to the SEM Manager. TCP is preferred over UDP because TCP ensures that all messages arrive intact.

The SEM agent provides the following benefits:

  • Captures events in real time.
  • Encrypts and compresses the data for efficient and secure transmission to the SEM Manager.
  • Buffers the events locally if you lose network connectivity to the SEM Manager.