Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.
We use NXLOG at Securonix.
I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.
WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.
Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process.
You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor).
Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.
Search for a product comparison in Security Information and Event Management (SIEM)
Find out what your peers are saying about Splunk, Microsoft, Wazuh and others in Security Information and Event Management (SIEM). Updated: November 2024.
Most SIEMs shouldn't require agents. You can generally configure Windows Event Forwarding (WEF), to a Windows Event Collector (WEC), and then forward logs via one agent on the WEC for multiple endpoints.
We use NXLOG at Securonix.
I would suggest if you need to deploy agents on Windows your probably best using Group Policies in Active Directory and an MSI installer.
WMI can be used to collect logs, but I highly recommend against it. It's insecure using COM/DCOM ports 135-138 to query, then SMB 445 for file transfer and requires DLLs to decode the binary format.
Sensors implies traffic collection and layer 2 devices (Corelight, Gigamon, Extrahop), and is an entirely different process.
You will probably have to deploy at least one log collector for the Vendor's SIEM you deploy. Most will be a Unix host, and you'll want to make sure you plan for it's patch management (many vendors don't patch after install and it's left to the customer). Some are deployed via VMs. Some supply hardware devices (ArcSight connector Appliance, QRadar Event Processor).
Puppet, Teraform and other Cloud tools can help with deployment of collectors on cloud environments.
Some products permit generating a native .MSI package. Sometimes, you can use PowerShell for connecting and installing packs in your environment.
Not-trivial: using a secondary tool (an administrative tool, iLo/iDRAC, PHP, expect, ssh-win, ...) is available or built-in over assets.
https://docs.microsoft.com/en-...