Documentation forSecurity Event Manager

About the SEM agent

The SEM Agent is installed on workstations, servers, and other network devices. It collects and normalizes log data in real time before it is sent to the SEM Manager. By default, it also collects security data such as Windows Application, Windows System, and Windows Security event logs, and transmits that data over TCP to the SEM Manager.

Note that the Windows Security Connector is the only one of these that tracks 100% of the event log by default: this is because the Windows Application and Windows System logs can also receive other application logs, such as antivirus logs, for which logging is not enabled by default and must be configured.
For example, suppose a customer is running McAfee Antivirus, which may write to the Windows Application log: the Windows Application connector will not read these events -- only the McAfee Connector will read them and normalize them (because they are vendor specific and not a Windows log event). This also applies to Printer logging, IIS logging, WSUS logging, etc.

The SEM Agent has a small footprint on the device and prevents log tampering during data collection and transmission. You can also use the SEM Agent with devices that support syslog. The Agent transmits syslog messages over TCP to the SEM Manager. TCP is preferred over UDP because TCP ensures messages arrive intact.

The SEM Agent provides the following benefits:

  • Captures events in real time.
  • Encrypts and compresses the data for efficient and secure transmission to the SEM Manager.
  • Buffers the events locally if you lose network connectivity to the SEM Manager.