OSSIM leverages NXLog to collect and forward Windows events to a sensor. NXLog is a universal log collection and forwarding agent for basic Windows event logs. But it's also useful in its own right for suppressing spurious events. NXLog collects this audit log data and forwards it to the OSSIM server over the syslog protocol on UDP port 514.

There are two ways in which you can implement this agent and integrate it with your OSSIM server to collect and forward events from your Windows systems:

1. Install and configure NXLog CE across your Windows hosts to use a custom NXLog configurations to capture non-Windows events on your end servers. This method will be explained in the next section.

2. Use the Windows Event Collector sensor app to manage the NXLog subscription used to forward your Windows logs directly to a deployed OSSIM server. When you use this method, the OSSIM server acts as the collector and the Windows host will forward the logs directly to the sensor using a private IP address, not over the public internet (https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/setup/windows-event-collector-app.htm).

NXLog provides an open source version and a paid, enterprise version. The OSSIM sensor integration using the Windows Event Collector sensor app is based on the enterprise version. The alternative method is based on the open source NXLog Community Edition.