Alert Logic® SIEMless Threat Management™ Essentials and Professional offerings are licensed based on the number of nodes that are protected in your environment. The following article describes what a node is and how node usage is calculated.
Cloud Environment Nodes
For customers with Amazon Web Services (AWS) or Microsoft Azure deployments, Alert Logic integrates with Cloud Provider APIs to determine the number of AWS EC2 and/or Azure Virtual Machine instances in your defined protected networks.
Individual Containers are not counted as nodes. Rather, Alert Logic counts the underlying instances. Similarly, cloud services not deployed on instances in your environment are not counted as nodes. If you stay below 100MB of log data per licensed node per day, these additional sources are effectively "free." If aggregate account usage exceeds an average of 100MB per node per day, Alert Logic provides offerings to cover the additional data.
Node usage snapshots in AWS and Azure are taken hourly; all hourly measurements are averaged to calculate usage for a given month.
On Premise Environment Nodes
Alert Logic identifies nodes for on-premises environments via two different methods. First, hosts with successfully provisioned agents are always counted as nodes. Even when a host has multiple IP addresses, it will be counted as a single node.
Since not all hosts in your protected network may have an agent - such as network devices, for example - discovery scans are also used to identify nodes. Discovery scans are performed daily and will capture any device in a protected network with a port open.
Node usage is calculated by de-duplicating agent and discovery scan results. Daily node counts are averaged over a calendar month to determine usage.
Usage is aggregated across all deployments - AWS, Azure, on-premises, etc. As long as your average number of nodes for the month is less than your entitlement, you are within your license. This methodology offers several benefits:
- Nodes are a simple concept. It is far easier to count servers and network devices than it is to estimate log volume and network traffic.
- Alert Logic measures usage based on average utilization rather than peak or 95th percentile. This reduces licensing costs and volatility, particularly for cloud customers operating variable workloads.
- Alert Logic does not charge for serverless data sources, so long as you stay within the 100MB per day per node data entitlement. We see that 100MB per day per node is adequate for most customer workloads and provides some room for additional serverless data sources.
- When a customer is deployed in AWS or Azure or when an agent is present in another environment, Alert Logic only charges for a single node for hosts with multiple IP addresses.
Note: Alert Logic does not count its own appliances as nodes, and whitelisting does not factor into node count.