A LogRhythm System Monitor Lite Agent can be used to collect Syslog traffic. For more information, see System Monitor Functionality by License: Lite vs. Pro/Collector.

General Network Requirements for Syslog Collection

The UDP/TCP port 514 must be open from the remote system to the monitoring system with the following exception.

In UNIX systems the LogRhythm syslog server usually replaces any native syslog server. However, if both syslog servers must exist, then the LogRhythm Syslog Server should be configured to listen on a different port. Syslog senders must be configured to send to the LogRhythm port, rather than the default 514. For more information, see the SyslogUDPPort and SyslogTCPPort properties in the Agent Advanced Properties table.

In the event the Agent cannot bind to the syslog port due to a port conflict with the native syslog server, you will see the following statement in the scsm.log:

Failed to bind to syslog TCP socket (10.1.1.164:514) - the address and/or port may already be in use.

Use TCP Delimiters in Syslog Collection

LogRhythm uses the standard newline character - '\n' - to parse TCP syslog messages. If you need to support the '\r\n', '\r', or '\0' delimiters, you must enable SyslogUseEnhancedTCPDelimiters in the Agent Advanced Properties. For more information, see the Agent Advanced Properties table.

TCP syslog delimiter descriptions:

'\n' LF, Newline/Linefeed, 10 in decimal, usage = standard, syslogng, Cisco PIX Firewall

'\r' CR, Carriage return, 13 in decimal

‘\r\n’ CRLF, CR+LF, 13 10 in decimal

'\0' NULL, 00 in decimal, usage = Juniper Netscreen Firewall

Timestamp Parsing on Windows

The Windows System Monitor parses the timestamp from Syslog messages and uses it as the collection time (normal message date) rather than using the Syslog receive time.

If no timestamp can be parsed from the message, the Syslog receive time (the time when the log was received on the Agent’s Syslog interface) is used as the normal message date.

The Windows System Monitor supports full timestamp parsing, including the following fields:

  • Month
  • Day
  • Year
  • Hour
  • Minute
  • Second
  • Millisecond
  • AM/PM
  • Time zone