LogRhythm SMA Installation
System Monitor Agent Remote Collection Installation for Windows 2008+
Firewall Rules
Make sure the following ports are not blocked by any firewalls
between the SysMon server and the
between the SysMon server and the
target server:
o TCP 135
o UDP 137
o UDP 138
o TCP 139
o TCP 445
In the Windows Inbound Firewall Rules on the target server,
enable the following services:
enable the following services:
o Remote Event Log Management (RPC)
Service
Start RPC (Remote Event Log Management) service on each
individual windows server
individual windows server
Membership/Permission
The
“LogRhythm System Monitor” service must be using a domain account
(not the “Local
“LogRhythm System Monitor” service must be using a domain account
(not the “Local
System”
account – ex. logrhythm_srv), the account should be part of “local” event log readers group on each
remote server. They can assign it manually or push it via GPO.
account – ex. logrhythm_srv), the account should be part of “local” event log readers group on each
remote server. They can assign it manually or push it via GPO.
Assign
the System Monitor’s service account read permissions to the following two
registry entries:
the System Monitor’s service account read permissions to the following two
registry entries:
·
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing
·
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing
Note: By default, the event log readers group would
have read permission to the above keys. If the account is added to local event
log readers group, it should give read permission to above two registry keys. Ask
to verify.
have read permission to the above keys. If the account is added to local event
log readers group, it should give read permission to above two registry keys. Ask
to verify.
LogRhythm Cloud Web GUI
Dashboards
Alarms
Searches
Reports
Search
Search logs using Lucene Filter:
Search logs using Lucene Filter:
Search Logs using Wildcard:
