LogSentinel Agent

LogSentinel is using a custom-packaged agent based on Wazuh/OSSEC. The overview of the agent capabilities can be found here. The agent is open-source, licensed under GNU GPLv2

The agent is an optional component in a SIEM deployment - using the collector logs can be collected agentlessly, but the agent adds a few other features:

• host-based active response (execute commands on affected hosts)
• rootkit detection
• security configuration assessment (SCA)
• malware detection
• file integrity monitoring and registry integrity monitoring

The agent runs as a local service and has the following technical characteristics:

• communicates over encrypted TCP (default) or UDP with either the SIEM directly or with the collector
• communication is bi-directional - the agent sends logs and other information and can receive active response commands
• the agent retries requests in case of failure in communication, thus avoiding message loss
• the agent works on most platforms, the full matrix is available here
• the agent sends raw logs, and the collector or SIEM can extract structured data, e.g. IP addresses, domains, human-readable display message, etc.