News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
May 28, 2024 deployment

What is agentless log collection?

By Tamás Burtics

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Agentless log collection refers to gathering log data from various sources without installing dedicated software agents on the systems generating the logs. Instead, it leverages protocols such as SNMP traps, WECS, WMI, and syslog to retrieve log data remotely.

It is easier to explain what agentless log collection is by also providing some context about agent-based log collection. The truth is that these two options for collecting logs walk hand in hand, meaning that they can and will likely coexist on your network. Interestingly, when people talk about this topic, it often turns into a debate about which log collection method is better. Here comes the spoiler: neither method is better than the other, and to give an extra twist to the story, this isn’t even an entirely valid statement. It is really like comparing apples and oranges.

I would like to emphasize that whenever possible, you should always use an agent for collecting logs, as an agent-based log collection method almost always brings more to the table. Agent-based log collection provides more features, allows for filtering, trimming, and parsing right at the source, and generally has much more benefits. But, there is always a but…​

Why and when to use agentless log collection?

network devices

There are scenarios where installing a log collection agent is not possible, for various reasons.

In the case of network devices, such as hubs, routers, firewalls, switches, or networked printers, the operating system is embedded. So, installing any third-party software is simply impossible, as the operating system cannot accommodate that. There are also scenarios where requirements may be in place that prevent the installation of a log collection agent, such as security or mandatory compliance reasons. In these cases, there is no other choice but to opt for agentless log collection.

However, this does not mean you must eliminate a versatile log collection agent, as it still has an important role further down the chain.

Do you still need an agent?

Well, yes! Especially if you use NXLog, as it provides an agent that does more than just collecting logs. You can use it as a log aggregator and log relay, which as I mentioned, becomes very important in the journey of your log records. Just because you do not use an agent on your end devices (where the logs are coming from), it does not mean that they will send the logs directly to your SIEM. This is something that you should try to avoid at all costs:

  • Configuring many devices to directly send log data to your SIEM quickly becomes cumbersome to manage.

  • It can seriously jeopardize your IT security if you have a cloud-based SIEM, since that requires opening up your network to the cloud from many devices.

  • You should always have your logs enter their final destination already filtered, trimmed, parsed, and noise-free. With NXLog, if you use agent-based log collection, this is done at the source. If you use agentless log collection, where at best only basic filtering can be done at the source, you should perform this as a next step.

In the case of agentless log collection, the journey of the log data should not differ. The only difference is how the logs get to the "first hop", using a networking analogy.

The diagrams below outline how this works in a simplified way.

In the diagram, NXLog agents are installed on all nodes and are responsible for filtering, parsing, trimming, and clearing out all unnecessary noise. Then, only the necessary and valuable log data enters the network, heading to a central NXLog relay server. In a typical scenario, this central server aggregates all your logs and directs them to their final destination, or often times multiple destinations. If the destination of your logs is in the cloud or outside your local network, then this is the only machine with a connection to the internet, which has significant security benefits.

Agent-based log collection

The flow in the second diagram is the same, except that no agents are installed on the nodes. The nodes send log records using various protocols to the central NXLog server. In this case, the log records are mostly unfiltered, without trimming, parsing, or any normalization.

This is the point where the features of NXLog become very handy, as you need to get your log data in the best possible shape, the very latest at this point.

Agentless log collection

Importance of log aggregation

Well, adding an extra step to the process sounds like complicating the journey of your logs, but you should always perform log aggregation. In addition to the previously mentioned security benefits, aggregating your logs to a central relay poses many other benefits:

  • You can separate the route your different logs take, for example:

    • Forwarding your database logs to destination A and your Domain Controller logs to Destination B.

    • Forwarding all your logs with a certain severity to destination C and the remaining ones to destination D.

    • Forwarding any of your logs to multiple destinations at the same time.

    • …​or literally whatever requirement you might have, since NXLog supports as many routes as needed.

  • This is the only machine that needs an internet connection.

  • All your logs are streamlined to your SIEM or analytics solution, considerably simplifying the integration between the systems.

  • In the case of agentless log collection, the aggregation step is the best place to filter, trim, parse, and generally normalize your logs before reaching your SIEM or analytics solution. In itself, this has many benefits, from reducing network traffic to having better analytics with easier visibility of malicious activity.

Takeaways

After understanding what agentless log collection is, let’s recap the following takeaways:

  • Agentless log collection and agent-based log collection are not mutually exclusive, just suited to different use cases. In the wild, you’ll need to leverage a mixture of agent-based and agentless log collection techniques to onboard disparate log events into your SIEM or forward them to other types of destinations.

  • Agentless log collection is best suited for network devices and any scenario where an agent cannot be installed.

  • In the case of agentless log collection, the logs follow the same route as they would follow in agent-based log collection.

  • In the case of agentless log collection, filtering, trimming, and normalization are done a stage later, as they cannot be done at the source.

  • Log aggregation is still an integral part of the log data journey when using an agentless log collection method.

Finally, be sure to also check out our in-depth comparison of the agent-based and agentless log collection strategies.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • deployment
  • strategy
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

The benefits of log aggregation
8 minutes | August 1, 2022
Log aggregation with NXLog
4 minutes | January 3, 2022
How can I monitor file access on Windows?
6 minutes | May 26, 2023

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us