Ideal way to send Windows logs to Sentinel?

seclabs.andrew.will

Currently, I have the Sentinel Agent installed on the windows machines. Would the best solution be to install edge on the all the window machines and send to stream or forward all the logs to a central windows machine and then send from there with Edge?

xpac xpac

I' put Edge on each box, and collect the events from there. Forwarding to a central box is something I'd avoid, to have less of a SPOF.

If you do it, I'd use Stream for the central box instead of Edge.

xpac xpac

I' put Edge on each box, and collect the events from there. Forwarding to a central box is something I'd avoid, to have less of a SPOF.

If you do it, I'd use Stream for the central box instead of Edge.

Jon Rust

I agree with XPAC. Ideally you'd install Edge on each server to take full advantage of all the features Edge gives you: Metrics, WinEvents, syslogd journal, file monitoring, teleport, Cribl Search, and more. But it's not required. In many cases you can use an existing agents to send data to a centralized Cribl Stream worker group.

Edge is intended to be installed in a distributed fashion, collecting local logs on instances it's installed on. It is not intended to scale up to a centralized aggregation point. That's Stream's job.