Node Definition and Usage Calculations

Alert Logic MDR Essentials and Professional and Fortra XDR offerings are licensed based on the number of nodes that are protected in your environment. This article describes what a node is and how node usage is calculated, including the differences between Alert Logic MDR and Fortra XDR.

Cloud Environment Nodes

For customers with Amazon Web Services (AWS) or Microsoft Azure deployments, Alert Logic integrates with Cloud Provider APIs to determine the number of AWS EC2 and Azure Virtual Machine instances in your defined protected networks.

Individual Containers are not counted as nodes.  For containerized deployments such as Amazon EKS, Azure AKS, etc., each host in a cluster will count as a single node regardless of the number of individual Containers or Pods that are running within that cluster and have the agent installed. Similarly, cloud services not deployed on instances in your environment are not counted as nodes.

Node usage snapshots in AWS and Azure are taken hourly; all hourly measurements are averaged to calculate usage for a given month.

On-Premises Environment Nodes

Alert Logic identifies nodes for on-premises environments via two different methods. First, hosts with successfully provisioned agents are always counted as nodes. Even when a host has multiple IP addresses, it will be counted as a single node.

Since not all hosts in your protected network may have an agent - such as network devices, for example - discovery scans are also used to identify nodes. Discovery scans are performed daily or weekly and will capture any device in a protected network with a port open.

Node usage is calculated by de-duplicating agent and discovery scan results. Daily node counts are averaged over a calendar month to determine usage.

Extended Endpoint Protection Nodes

Because Extended Endpoint Protection (EEP) is a separate agent, Alert Logic counts EEP nodes toward Essentials and Professional entitlements separately. For example, an organization with 100 nodes of Essentials can perform vulnerability scanning on 100 systems and deploy up to 100 EEP agents on the same or different systems. Likewise, an organization with 100 nodes of Professional and 500 nodes of Essentials could deploy up to 600 EEP agents on the systems of their choice since both Professional and Essentials include an EEP entitlement.

Third-party Endpoint Protection Sources (Fortra XDR)

Any hosts protected by a third-party endpoint software collected by Alert Logic are counted as Fortra XDR nodes.

Log Usage

Each licensed node includes 100MB of daily log ingestion for Alert Logic MDR customers, and 167MB of daily log ingestion for Fortra XDR customers. Any individual host or log source may collect more than this volume of log data, if the total daily volume of all log sources is less than the number of licensed nodes multiplied by the daily allowance.

Node Usage

Usage is aggregated across all deployments - including AWS, Azure, and on-premises. If your average number of nodes for the month is less than your entitlement, you are within your license. This methodology offers these benefits:

• Nodes are a simple concept. It is far easier to count servers and network devices than it is to estimate log volume and network traffic.
• Alert Logic measures usage based on average utilization rather than peak or 95th percentile. This reduces licensing costs and volatility, particularly for cloud customers operating variable workloads.
• Alert Logic does not charge for serverless data sources, though their log volume is counted toward aggregate log usage.
• When a customer is deployed in AWS or Azure or when an agent is present in another environment, Alert Logic only charges for a single node for hosts with multiple IP addresses.

Note: Alert Logic does not count its own appliances as nodes, and whitelisting does not factor into node count.