Product Updates

Introducing the Guardsix log collection agent, available today

Written by Austin Mitchell | Jul 8, 2026 5:47:03 AM

Your logs are your system of record. You rely on them to understand and reconstruct activity across the environment you are accountable for.

When auditors ask for proof of compliance, logs are the first place you look. Any gap in collection can become a gap in your evidence. That can leave you with a retention requirement you cannot satisfy, or an audit request you cannot answer. 

Guardsix's new log collection agent is designed to keep that record whole and under your control. Today's release helps you maintain coverage when endpoints move between networks, and forwards what it collects directly to Guardsix SIEM. Building our own log collection agent gives us a foundation we can refine and extend deliberately, starting with Windows Event Log, file and IIS logs, and covering more of your environment over time.

A record without gaps for the endpoints that move

Complete coverage of your log sources is the baseline every retention and audit obligation rests on. Yet blind spots often open on hosts that traverse networks. A conventional collector assumes a static host at a known address. When a mobile endpoint shifts to a new network, the collector can  lose it, causing coverage for that endpoint to degrade. 

Our agent works the other way round. It opens an outbound connection to your collector and does not depend on a fixed address. It forwards across NAT, DHCP, dynamic DNS and multi-interface hosts, wherever the host sits. If the link drops or the host reboots, the agent spools events to local disk and forwards them on reconnect.

The result is coverage without blind spots. You lose nothing on the endpoints that move, and the audit record holds even when the network does not. Version 1.0 collects Windows Event Log channels — Security, System, Application and custom channels — alongside line-based file logs, and the same agent will extend across more of your environment in later releases.

Our agent supports audit readiness and compliance in three ways:

  • Certificates and authentication keys are issues from a central interface for securing each agent and generating installation scripts. One standardised agent everywhere helps endpoints, sites, and tenants begin collecting sooner.
  • Outbound connections are supported by disk buffering and continuously initiated through drops and reboots. The record keeps flowing from roaming and remote devices even as they move. No blind spots, no lost logs, no broken audit trail.
  • Logs route to your own Guardsix SIEM or your own collectors without being forced through a hyperscaler cloud, so you can meet residency requirements through architecture, instead of trying to work around them.

Example: An employee's traveling laptop

To illustrate how log collection plays out for a single host, let's follow one endpoint through a week: it starts behind NAT in the office, shifts to home broadband, joins shared Wi-Fi at a coffee shop, then lands on a public address at the airport. Its source IP changes at every hop. A collector that keys on IP, or assumes the host stays on one network, loses it the moment it moves.

The agent keeps pace because it connects outbound rather than waiting for an inbound session. And because Guardsix SIEM identifies it by a stable agent identity set at enrolment rather than its source IP, it stays the same agent throughout. When the link drops between networks, the agent spools events to local disk and forwards them on reconnect.

Coverage for that endpoint stays continuous wherever it goes. The host can leave the network without opening a gap in your audit record.

Why sovereignty matters 

The path your telemetry takes is a security control in its own right. The agent forwards logs straight to your own Guardsix SIEM, directly through infrastructure you operate with no hyperscaler cloud in the path. That removes cloud dependency risk at the point of collection, keeping telemetry on your own deployment and under your own jurisdiction. When a regulator or an auditor asks whose laws govern it, the answer is straightforward.

Run it with a lean team

Complete coverage only holds if a lean team can actually operate it. The agent opens a single outbound connection to one destination, in place of the multiple forwarders and firewall exceptions you might otherwise stand up. That means fewer firewall rules, a single egress port, no inbound listener, and a light footprint that stays out of the way — so no one has cause to throttle it or switch it off.

Central provisioning helps MSSPs onboard clients more efficiently. In Guardsix Fleet, you issue the certificates and authentication keys that secure each agent, and you generate its installation script. So you configure enrolment once, not host by host, then push the agent across customer environments with the deployment tooling you already run.

 

Deploy log collection on your terms

The agent fits the same way whether you run one site or a fleet of tenants. Agents forward logs to your Guardsix SIEM instance, with support for dedicated pools and load balancing in the topology. You can start small and grow into a larger topology without reworking the underlying structure:

  • Standalone — a single Guardsix SIEM, with agents connecting directly. It is the quickest to stand up for immediate results.
  • Load-balanced collector pool (high availability) — an active/active pool of collectors behind a load balancer, so collection carries on if one collector drops.
  • Dedicated collector pools — pinned agent groups, each with its own collector and no load balancer, so you can separate traffic or spread load by hand.
  • Fleet management — central provisioning across several Guardsix SIEMs at once. Each tenant runs its own local collector and agents, and you issue certificates and authentication keys and generate installation scripts for all of them from one place.


What this means for you

If you run your own security, this is what keeps a lean team's audit record complete without adding operational load. Central setup means you are not logging into every machine to enrol it; outbound-only connections mean fewer firewall rules to argue over with the network team; and a residency claim you can make about your own logs, in your own jurisdiction, holds up the day an auditor asks.

If you run security as a service, effective log collection is the foundation that every MSSP needs to run a profitable business. This release allows you process enrolment centrally across tenants rather than one at a time. Issue certificates and authentication keys and generate installation scripts for every tenant from a single interface, so new clients start collecting sooner.

What to do now

The agent is included in Guardsix SIEM 7.9.3 and above, while MSSP capabilities are available from Fleet version 2.10.1 onwards. If you rely today on third-party or self-hosted open-source collectors, you can begin moving Windows Event Log file and IIS logs in parallel. Run the agent alongside what you have and bring sources across as they fit the supported scenarios; the rest stays where it is. 

  • For partners and customers running Guardsix today, reach out to your point of contact and ask about log collector migration. 
  • If you're new to Guardsix, book a demo and find out how we can help you re-assess your log management dependencies.