Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.
We use NXLOG at Securonix.
I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.
WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.
Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process.
You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor).
Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.
Search for a product comparison in Security Information and Event Management (SIEM)
Find out what your peers are saying about Splunk, Wazuh, Microsoft and others in Security Information and Event Management (SIEM). Updated: January 2025.
Security Information and Event Management (SIEM) tools offer comprehensive visibility and management of an organization’s security events through real-time analysis and correlation of data from multiple sources.
SIEM solutions provide a centralized platform for managing security alerts and logs from various sources such as network devices, servers, and applications. They help identify and mitigate potential threats by analyzing event data for unusual patterns and correlations. These tools...
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.
We use NXLOG at Securonix.
I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.
WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.
Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process.
You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor).
Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.
Some products permit generating a native .MSI package. Sometimes, you can use PowerShell for connecting and installing packs in your environment.
Not-trivial: using a secondary tool (an administrative tool, iLo/iDRAC, PHP, expect, ssh-win, ...) is available or built-in over assets.
https://docs.microsoft.com/en-...