To configure Advanced System Monitor properties

  1. On the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Right-click the System Monitor you want to configure, and then click Properties.
  4. In the lower-left corner of the System Monitor Agent Properties window, click Advanced
    The Agent Advanced Properties window appears.
  5. Do one of the following:
    • Configure the values according to the information in the following table.
    • In the lower-left corner, click Apply Recommended Values, and then click Yes to confirm your selection.
  6. Click OK.

If you have the correct permissions but are unable to modify an Agent's settings, it likely has a configuration policy applied. Look at the Agent Settings tab of the properties dialogue box to see if there is a policy listed under Configuration Policy. For more information, see System Monitor Configuration Policy Manager.


Agent Advanced PropertiesRangeDefaultDescription
File Integrity Monitor Group
RealtimeRecordBufferLimit0-214748364710485760Maximum number of bytes the RealtimeFileMonitor can use. Set to zero to buffer until exhaustion.
RTFIMExcludeNestedDirectoryEventsEnabled/DisabledDisabledEnable this option to filter out directory events within a monitored directory (for example, creating or deleting a directory). If this option is not enabled, RT FIM creates an event for such actions.
General Group
Compress0-90

Compression level, range 0-9:

0=no compression or batching,

1=fast compression,

9=highest compression.

ConnectionTimeout3-7200120Connection timeout for Agent socket connections (in seconds).
CycleTime1-8640010Time for a single processing cycle (in seconds). If a cycle time is completed faster than CycleTime, the Agent sleeps for the remainder of CycleTime.
EventLogBuffer4-2568Size of the Event Log read buffer (in KB).
EventLogCacheLifetime5-144030Lifetime of the event log cache (in minutes).
EventLogTimeout1-12010Time allowed for remote systems to respond to event log read requests (in seconds).
FailbackDelay0-360060The number of minutes to wait before failing back to a higher priority Data Processor, range 0-3600; 0=no failback; 1-3600=number of minutes to wait before failing back to a higher priority Data Processor.
FlushBatch1-10000100

Set the number of logs to flush before throttling sends.

HeartbeatInterval1-606Number of processing cycles between heartbeats.
LoadBalanceDelay0-100804320The number of minutes to wait before failing back to a higher priority Data Processor when in a load balancing deployment. Range 0-10080. 0=No failback; 1-10080=number of minutes to wait before failing back to a higher priority Data Processor.
LocalLogLifetime1-307Time to keep Agent logs (in days).
LogLevelOff, Error, Warning, Info, Verbose, DebugVerboseSets the Agent logging level (log written to scsm.log).
LogSourceSearchScopeSystem Monitor Search, Parent Entity Search, Global SearchParent Entity SearchDefines the scope in which Auto-Discovered Log Sources are located.
LogSourceVirtualizationThreadCount1-5010Number of threads to process Log Source Virtualization rules.
LogSourceVirtualizationTimeoutMillSec1-1000100Time (in milliseconds) after which a Log Source Virtualization regular expression stops processing and creates a diagnostic error.
MaxLogQueueMemory10-819225Maximum amount of memory the Agent uses for its in memory data queue before spooling incoming syslog data to a temporary file (in MB).
MaxServiceMemory100-16384512Maximum memory allowed for the Agent process (in MB).
MaxSuspenseFileSize1-55Maximum Syslog, NetFlow, and SNMP trap suspense file size (in MB).
ProcessPriorityLow,
Below Normal
Normal,
Above Normal, High
NormalProcess priority for the Agent process.
SocketReceiveTimeout1000-720000060000Socket receive timeout (in ms).
SocketSendTimeout1000-720000060000Socket send timeout (in ms).
TCPNodeDelayEnabled/DisabledEnabledEnables or disables TCP delay to reduce protocol overhead.
TCPRecvBufferSize1-67108864524288The size, in bytes, of the TCP receive buffer.
TCPReuseEnabled/DisabledEnabledEnables or disables the reuse of local addresses with the SO_REUSEADDR protocol.
TCPSendBufferSize1-67108864524288The size, in bytes, of the TCP send buffer.
VirtualSourceDNSResolutionEnabled/DisabledEnabledWhen enabled, the Agent attempts to resolve host names for syslog devices that send IP addresses as the identifier and attempt to resolve IP addresses for syslog sending devices that send host names as their identifier.
NetFlow Server Group
NetFlowServerNIC 0Specify the interface to receive IPFIX/NetFlow/J-Flow data. Valid values are eth0-99 (Linux), 0-99 (Windows), or an IP address. Numeric values determine which network interface card to use - a value of eth0 (Linux) or 0 (Windows) is the first available network interface card. An IP address value is the static IP address of the NIC to receive NetFlow data on.
NetFlowServerPort1-655355500Port on which the IPFIX/NetFlow/J-Flow server receives NetFlow packets.
NetFlowVerboseEnabled/DisabledDisabledCreate IPFIX/NetFlow/J-Flow v9 verbose log messages. NetFlow v9 data records may include many data fields that were not available in earlier NetFlow versions. Enabling NetFlowVerbose captures all these fields in the raw log, but may also significantly increase storage and network requirements.
NetworkConnectionMonitor Group
NetworkConnectionMonitorInterval1-864005The polling interval in seconds for the Network Connection Monitor. The polling interval uses a snapshot approach and compares the differences between the previous and current snapshot. A process that starts and stops between polling times will not be detected, so a small interval is recommended.
Process Monitor Group
ProcessMonitorInterval1-864005The polling interval in seconds for the Process Monitor. The polling interval uses a snapshot approach and compares the differences between the previous and current snapshot. A process that starts and stops between polling times will not be detected, so a small interval is recommended.
Secure Syslog Server Group
EnforceSecureSyslogClientCertRevocationEnabled/DisabledDisabledEnforce Agent Certificate Revocation Check. If this fails, the Agent disconnects from the syslog client.
EnforceSecureSyslogClientCertTrustEnabled/DisabledDisabledEnforce secure syslog certificate Trusted Authority Check. If this fails, the Agent disconnects from the syslog client.
RequireSecureSylogClientCertEnabled/DisabledDisabledRequire secure syslog clients to present a client certificate when connecting.
SecureSyslogClientCertOCSPURL  The OCSP URL for Agent certificate revocation checking.
SecureSyslogPort1-655356514Secure syslog TCP port to listen on. Default is 6514.
SecureSyslogServerCertLocation  The Windows certificate location where the Agent secure syslog server certificate is installed. Can be LocalMachine or CurrentUser.
SecureSyslogServerCertStore  The Windows certificate store where the Agent secure syslog server certificate is installed--can be MY or ROOT.
SecureSyslogServerCertSubject  The Subject of the server certificate that the Agent should use for secure syslog (e.g., CN=190.1.2.123 or CN=lr-0870eds-msa or CN=lr-0870eds-msa.secious.com). This must be the IP address specified in step 2 under the Create Certificates section above and must match what the syslog client uses in the configuration.
UseSecureSyslogServerCertEnabled/DisabledDisabledIf checked, the Agent uses the specified server certificate for server-side authentication during the establishment of secure syslog connections; otherwise, the Agent will use a self-generated/signed certificate (default).
For more information on configuring a secure syslog server, see Configure a Secure Syslog Agent.
sFlow Server Group
sFlowExtraLoggingEnabled/DisabledDisabledCheck to enable logging of unknown sFlow records to a local file. If disabled, the records are discarded.
sFlowLogDetailsEnabled/DisabledDisabledCheck to enable logging of uninteresting sFlow counter data in a details section of the scsm.log.
sFlowServerNIC 0Specify the interface to receive sFlow data.
sFlowServerUDPPort1-655356343Port on which the sFlow server receives packets.
Syslog Server Group (Windows Agents Only)
SyslogFileEnabled/Disabled

Disabled

Check to enable writing syslog data to the text file specified in the SyslogFilePath property.
SyslogFileHistory1-307Maximum number of days to keep rotated syslog files.
SyslogFilePath See descrip-tionAll syslog messages received are written to this file if the SyslogFile property is enabled. Default path is: C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\syslogfile.log
SyslogFileRotationSize5-1005Syslog file rotation size (in MB). The size at which the syslog file is rotated.
SyslogServerNICCharacter length max = 150

Specify the interface to receive syslog data. This is either an IP address (recommended) or a numeric value of an interface card.

An IP address value is the static IP address of the NIC where syslog is receiving data. A numeric value (0 ā€“ 99) should be the number of the first available network interface card.

SyslogTCPPort1-65535514Syslog TCP port on which to listen. For exceptions to the default, see Networking and Communication.
SyslogUDPPort1-65535514Syslog UDP port on which to listen. For exceptions to the default, see Networking and Communication.
SyslogUseEnhancedTCPDelimitersEnabled/DisabledDisabled

Check to enable parsing TCP syslog messages using additional delimiters: '\r' and '\0'. If unchecked, only '\r\n' and the standard newline character '\n' is used.

TCP syslog delimiter descriptions:

'\n' - LF, Newline/Linefeed, 10 in decimal, usage = standard, syslogng, PIX Firewall

'\r' - CR, Carriage return, 13 in decimal

ā€˜\r\nā€™ - CRLF, CR+LF, 13 10 in decimal

'\0' - NULL, 00 in decimal, usage = Juniper Netscreen Firewall

TLS Certificates Group

For an example of how to use these values to utilize custom certificates for Agent to Mediator communications, see Certificate Configuration for LogRhythm Component Connections.

AgentTLSCertLocation  The location of the Windows certificate where the Agent client certificate is installed: LocalMachine or Current User.
AgentTLSCertStore  The Windows certificate store where the Agent client certificate is installed: MY or ROOT.
AgentTLSCertSubject  The Subject of the client certificate that the Agent should use.
EnforceMediatorTLSCertRevocationEnabled/DisabledDisabledEnforce Mediator Certificate Revocation Check. If this fails, the Agent will disconnect from the Mediator and logs will be written to the scsm.log.
EnforceMediatorTLSCertTrustEnabled/DisabledDisabledEnforce Mediator Certificate Trusted Authority Check. If this fails, the Agent disconnects the Mediator and logs are written to the scsm.log.
MediatorTLSCertOCSPURL  The OCSP URL for Mediator certificate revocation checking.
UseAgentTLSCertEnabled/DisabledDisabledIf checked, the Agent will use the specified client when connecting to the Mediator; otherwise, no Agent certificate will be used (default).
UAM Group
UserActivityMonitorHistory1-2424The maximum number of hours to keep User Activity Monitor history.
UserActivityMonitorInterval3-8640030The polling interval in seconds for the User Activity Monitor
Unidirectional Agent Group
EnabledTrue/FalseFalseCheck to enable unidirectional Agent communications with the Data Processor
HashMode

No Hash, SHA256, SHA512

No HashThe hash to use when sending messages from the unidirectional Agent to the Data Processor.
MediatorPort1-6553540000

Specifies the Data Processor port to use when running in unidirectional Agent mode.