Your logs are your system of record. You rely on them to understand and reconstruct activity across the environment you are accountable for.
When auditors ask for proof of compliance, logs are the first place you look. Any gap in collection can become a gap in your evidence. That can leave you with a retention requirement you cannot satisfy, or an audit request you cannot answer.
Guardsix's new log collection agent is designed to keep that record whole and under your control. Today's release helps you maintain coverage when endpoints move between networks, and forwards what it collects directly to Guardsix SIEM. Building our own log collection agent gives us a foundation we can refine and extend deliberately, starting with Windows Event Log, file and IIS logs, and covering more of your environment over time.
Complete coverage of your log sources is the baseline every retention and audit obligation rests on. Yet blind spots often open on hosts that traverse networks. A conventional collector assumes a static host at a known address. When a mobile endpoint shifts to a new network, the collector can lose it, causing coverage for that endpoint to degrade.
Our agent works the other way round. It opens an outbound connection to your collector and does not depend on a fixed address. It forwards across NAT, DHCP, dynamic DNS and multi-interface hosts, wherever the host sits. If the link drops or the host reboots, the agent spools events to local disk and forwards them on reconnect.
The result is coverage without blind spots. You lose nothing on the endpoints that move, and the audit record holds even when the network does not. Version 1.0 collects Windows Event Log channels — Security, System, Application and custom channels — alongside line-based file logs, and the same agent will extend across more of your environment in later releases.
Our agent supports audit readiness and compliance in three ways:
To illustrate how log collection plays out for a single host, let's follow one endpoint through a week: it starts behind NAT in the office, shifts to home broadband, joins shared Wi-Fi at a coffee shop, then lands on a public address at the airport. Its source IP changes at every hop. A collector that keys on IP, or assumes the host stays on one network, loses it the moment it moves.
The agent keeps pace because it connects outbound rather than waiting for an inbound session. And because Guardsix SIEM identifies it by a stable agent identity set at enrolment rather than its source IP, it stays the same agent throughout. When the link drops between networks, the agent spools events to local disk and forwards them on reconnect.
Coverage for that endpoint stays continuous wherever it goes. The host can leave the network without opening a gap in your audit record.
The path your telemetry takes is a security control in its own right. The agent forwards logs straight to your own Guardsix SIEM, directly through infrastructure you operate with no hyperscaler cloud in the path. That removes cloud dependency risk at the point of collection, keeping telemetry on your own deployment and under your own jurisdiction. When a regulator or an auditor asks whose laws govern it, the answer is straightforward.
Complete coverage only holds if a lean team can actually operate it. The agent opens a single outbound connection to one destination, in place of the multiple forwarders and firewall exceptions you might otherwise stand up. That means fewer firewall rules, a single egress port, no inbound listener, and a light footprint that stays out of the way — so no one has cause to throttle it or switch it off.
Central provisioning helps MSSPs onboard clients more efficiently. In Guardsix Fleet, you issue the certificates and authentication keys that secure each agent, and you generate its installation script. So you configure enrolment once, not host by host, then push the agent across customer environments with the deployment tooling you already run.
The agent fits the same way whether you run one site or a fleet of tenants. Agents forward logs to your Guardsix SIEM instance, with support for dedicated pools and load balancing in the topology. You can start small and grow into a larger topology without reworking the underlying structure:
If you run your own security, this is what keeps a lean team's audit record complete without adding operational load. Central setup means you are not logging into every machine to enrol it; outbound-only connections mean fewer firewall rules to argue over with the network team; and a residency claim you can make about your own logs, in your own jurisdiction, holds up the day an auditor asks.
If you run security as a service, effective log collection is the foundation that every MSSP needs to run a profitable business. This release allows you process enrolment centrally across tenants rather than one at a time. Issue certificates and authentication keys and generate installation scripts for every tenant from a single interface, so new clients start collecting sooner.
The agent is included in Guardsix SIEM 7.9.3 and above, while MSSP capabilities are available from Fleet version 2.10.1 onwards. If you rely today on third-party or self-hosted open-source collectors, you can begin moving Windows Event Log file and IIS logs in parallel. Run the agent alongside what you have and bring sources across as they fit the supported scenarios; the rest stays where it is.