LogSentinel Agent¶
LogSentinel is using a custom-packaged agent based on Wazuh/OSSEC. The overview of the agent capabilities can be found here. The agent is open-source, licensed under GNU GPLv2
The agent is an optional component in a SIEM deployment - using the collector logs can be collected agentlessly, but the agent adds a few other features:
- host-based active response (execute commands on affected hosts)
- rootkit detection
- security configuration assessment (SCA)
- malware detection
- file integrity monitoring and registry integrity monitoring
The agent runs as a local service and has the following technical characteristics:
- communicates over encrypted TCP (default) or UDP with either the SIEM directly or with the collector
- communication is bi-directional - the agent sends logs and other information and can receive active response commands
- the agent retries requests in case of failure in communication, thus avoiding message loss
- the agent works on most platforms, the full matrix is available here
- the agent sends raw logs, and the collector or SIEM can extract structured data, e.g. IP addresses, domains, human-readable display message, etc.