Yes, using the Alert Logic agent is the recommended method to send traffic to the Alert Logic appliance for on-premise deployments of Alert Logic Managed Detection & Response (MDR). While SPAN (Switched Port Analyzer) configurations can copy traffic and send it to the appliance, there are several additional benefits to using the Alert Logic agent, especially in terms of reliability and access to metadata.
By using the Alert Logic agent rather than mirroring traffic through a span, you can see the following benefits:
- Reliability of the agent – span sessions can be easily killed when rebooting switches
- More flexibility with populating the asset model, so asset scanning can be reduced as needed
- Access to traffic data within the Alert Logic console (via the Topology or Health pages)
- Access to new functionality as the Alert Logic agent is improved; this includes log collection and agent-based scan capability with the same installation