To configure Advanced System Monitor properties
- On the main toolbar, click Deployment Manager.
- Click the System Monitors tab.
- Right-click the System Monitor you want to configure, and then click Properties.
- In the lower-left corner of the System Monitor Agent Properties window, click Advanced.
The Agent Advanced Properties window appears.
- Do one of the following:
- Configure the values according to the information in the following table.
- In the lower-left corner, click Apply Recommended Values, and then click Yes to confirm your selection.
- Click OK.
If you have the correct permissions but are unable to modify an Agent's settings, it likely has a configuration policy applied. Look at the Agent Settings tab of the properties dialogue box to see if there is a policy listed under Configuration Policy. For more information, see System Monitor Configuration Policy Manager.
|Agent Advanced Properties||Range||Default||Description|
|File Integrity Monitor Group|
|RealtimeRecordBufferLimit||0-2147483647||10485760||Maximum number of bytes the RealtimeFileMonitor can use. Set to zero to buffer until exhaustion.|
|RTFIMExcludeNestedDirectoryEvents||Enabled/Disabled||Disabled||Enable this option to filter out directory events within a monitored directory (for example, creating or deleting a directory). If this option is not enabled, RT FIM creates an event for such actions.|
Compression level, range 0-9:
0=no compression or batching,
|ConnectionTimeout||3-7200||120||Connection timeout for Agent socket connections (in seconds).|
|CycleTime||1-86400||10||Time for a single processing cycle (in seconds). If a cycle time is completed faster than CycleTime, the Agent sleeps for the remainder of CycleTime.|
|EventLogBuffer||4-256||8||Size of the Event Log read buffer (in KB).|
|EventLogCacheLifetime||5-1440||30||Lifetime of the event log cache (in minutes).|
|EventLogTimeout||1-120||10||Time allowed for remote systems to respond to event log read requests (in seconds).|
|FailbackDelay||0-3600||60||The number of minutes to wait before failing back to a higher priority Data Processor, range 0-3600; 0=no failback; 1-3600=number of minutes to wait before failing back to a higher priority Data Processor.|
Set the number of logs to flush before throttling sends.
|HeartbeatInterval||1-60||6||Number of processing cycles between heartbeats.|
|LoadBalanceDelay||0-10080||4320||The number of minutes to wait before failing back to a higher priority Data Processor when in a load balancing deployment. Range 0-10080. 0=No failback; 1-10080=number of minutes to wait before failing back to a higher priority Data Processor.|
|LocalLogLifetime||1-30||7||Time to keep Agent logs (in days).|
|LogLevel||Off, Error, Warning, Info, Verbose, Debug||Verbose||Sets the Agent logging level (log written to scsm.log).|
|LogSourceSearchScope||System Monitor Search, Parent Entity Search, Global Search||Parent Entity Search||Defines the scope in which Auto-Discovered Log Sources are located.|
|LogSourceVirtualizationThreadCount||1-50||10||Number of threads to process Log Source Virtualization rules.|
|LogSourceVirtualizationTimeoutMillSec||1-1000||100||Time (in milliseconds) after which a Log Source Virtualization regular expression stops processing and creates a diagnostic error.|
|MaxLogQueueMemory||10-8192||25||Maximum amount of memory the Agent uses for its in memory data queue before spooling incoming syslog data to a temporary file (in MB).|
|MaxServiceMemory||100-16384||512||Maximum memory allowed for the Agent process (in MB).|
|MaxSuspenseFileSize||1-5||5||Maximum Syslog, NetFlow, and SNMP trap suspense file size (in MB).|
Above Normal, High
|Normal||Process priority for the Agent process.|
|SocketReceiveTimeout||1000-7200000||60000||Socket receive timeout (in ms).|
|SocketSendTimeout||1000-7200000||60000||Socket send timeout (in ms).|
|TCPNodeDelay||Enabled/Disabled||Enabled||Enables or disables TCP delay to reduce protocol overhead.|
|TCPRecvBufferSize||1-67108864||524288||The size, in bytes, of the TCP receive buffer.|
|TCPReuse||Enabled/Disabled||Enabled||Enables or disables the reuse of local addresses with the SO_REUSEADDR protocol.|
|TCPSendBufferSize||1-67108864||524288||The size, in bytes, of the TCP send buffer.|
|VirtualSourceDNSResolution||Enabled/Disabled||Enabled||When enabled, the Agent attempts to resolve host names for syslog devices that send IP addresses as the identifier and attempt to resolve IP addresses for syslog sending devices that send host names as their identifier.|
|NetFlow Server Group|
|NetFlowServerNIC||0||Specify the interface to receive IPFIX/NetFlow/J-Flow data. Valid values are eth0-99 (Linux), 0-99 (Windows), or an IP address. Numeric values determine which network interface card to use - a value of eth0 (Linux) or 0 (Windows) is the first available network interface card. An IP address value is the static IP address of the NIC to receive NetFlow data on.|
|NetFlowServerPort||1-65535||5500||Port on which the IPFIX/NetFlow/J-Flow server receives NetFlow packets.|
|NetFlowVerbose||Enabled/Disabled||Disabled||Create IPFIX/NetFlow/J-Flow v9 verbose log messages. NetFlow v9 data records may include many data fields that were not available in earlier NetFlow versions. Enabling NetFlowVerbose captures all these fields in the raw log, but may also significantly increase storage and network requirements.|
|NetworkConnectionMonitorInterval||1-86400||5||The polling interval in seconds for the Network Connection Monitor. The polling interval uses a snapshot approach and compares the differences between the previous and current snapshot. A process that starts and stops between polling times will not be detected, so a small interval is recommended.|
|Process Monitor Group|
|ProcessMonitorInterval||1-86400||5||The polling interval in seconds for the Process Monitor. The polling interval uses a snapshot approach and compares the differences between the previous and current snapshot. A process that starts and stops between polling times will not be detected, so a small interval is recommended.|
|Secure Syslog Server Group|
|EnforceSecureSyslogClientCertRevocation||Enabled/Disabled||Disabled||Enforce Agent Certificate Revocation Check. If this fails, the Agent disconnects from the syslog client.|
|EnforceSecureSyslogClientCertTrust||Enabled/Disabled||Disabled||Enforce secure syslog certificate Trusted Authority Check. If this fails, the Agent disconnects from the syslog client.|
|RequireSecureSylogClientCert||Enabled/Disabled||Disabled||Require secure syslog clients to present a client certificate when connecting.|
|SecureSyslogClientCertOCSPURL||The OCSP URL for Agent certificate revocation checking.|
|SecureSyslogPort||1-65535||6514||Secure syslog TCP port to listen on. Default is 6514.|
|SecureSyslogServerCertLocation||The Windows certificate location where the Agent secure syslog server certificate is installed. Can be LocalMachine or CurrentUser.|
|SecureSyslogServerCertStore||The Windows certificate store where the Agent secure syslog server certificate is installed--can be MY or ROOT.|
|SecureSyslogServerCertSubject||The Subject of the server certificate that the Agent should use for secure syslog (e.g., CN=188.8.131.52 or CN=lr-0870eds-msa or CN=lr-0870eds-msa.secious.com). This must be the IP address specified in step 2 under the Create Certificates section above and must match what the syslog client uses in the configuration.|
|UseSecureSyslogServerCert||Enabled/Disabled||Disabled||If checked, the Agent uses the specified server certificate for server-side authentication during the establishment of secure syslog connections; otherwise, the Agent will use a self-generated/signed certificate (default).|
|For more information on configuring a secure syslog server, see Configure a Secure Syslog Agent.|
|sFlow Server Group|
|sFlowExtraLogging||Enabled/Disabled||Disabled||Check to enable logging of unknown sFlow records to a local file. If disabled, the records are discarded.|
|sFlowLogDetails||Enabled/Disabled||Disabled||Check to enable logging of uninteresting sFlow counter data in a details section of the scsm.log.|
|sFlowServerNIC||0||Specify the interface to receive sFlow data.|
|sFlowServerUDPPort||1-65535||6343||Port on which the sFlow server receives packets.|
|Syslog Server Group (Windows Agents Only)|
|Check to enable writing syslog data to the text file specified in the SyslogFilePath property.|
|SyslogFileHistory||1-30||7||Maximum number of days to keep rotated syslog files.|
|SyslogFilePath||See descrip-tion||All syslog messages received are written to this file if the SyslogFile property is enabled. Default path is: C:\Program Files\LogRhythm\LogRhythm System Monitor\logs\syslogfile.log|
|SyslogFileRotationSize||5-100||5||Syslog file rotation size (in MB). The size at which the syslog file is rotated.|
|SyslogServerNIC||Character length max = 15||0|
Specify the interface to receive syslog data. This is either an IP address (recommended) or a numeric value of an interface card.
An IP address value is the static IP address of the NIC where syslog is receiving data. A numeric value (0 – 99) should be the number of the first available network interface card.
|SyslogTCPPort||1-65535||514||Syslog TCP port on which to listen. For exceptions to the default, see Networking and Communication.|
|SyslogUDPPort||1-65535||514||Syslog UDP port on which to listen. For exceptions to the default, see Networking and Communication.|
Check to enable parsing TCP syslog messages using additional delimiters: '\r' and '\0'. If unchecked, only '\r\n' and the standard newline character '\n' is used.
TCP syslog delimiter descriptions:
'\n' - LF, Newline/Linefeed, 10 in decimal, usage = standard, syslogng, PIX Firewall
'\r' - CR, Carriage return, 13 in decimal
‘\r\n’ - CRLF, CR+LF, 13 10 in decimal
'\0' - NULL, 00 in decimal, usage = Juniper Netscreen Firewall
|TLS Certificates Group|
For an example of how to use these values to utilize custom certificates for Agent to Mediator communications, see Certificate Configuration for LogRhythm Component Connections.
|AgentTLSCertLocation||The location of the Windows certificate where the Agent client certificate is installed: LocalMachine or Current User.|
|AgentTLSCertStore||The Windows certificate store where the Agent client certificate is installed: MY or ROOT.|
|AgentTLSCertSubject||The Subject of the client certificate that the Agent should use.|
|EnforceMediatorTLSCertRevocation||Enabled/Disabled||Disabled||Enforce Mediator Certificate Revocation Check. If this fails, the Agent will disconnect from the Mediator and logs will be written to the scsm.log.|
|EnforceMediatorTLSCertTrust||Enabled/Disabled||Disabled||Enforce Mediator Certificate Trusted Authority Check. If this fails, the Agent disconnects the Mediator and logs are written to the scsm.log.|
|MediatorTLSCertOCSPURL||The OCSP URL for Mediator certificate revocation checking.|
|UseAgentTLSCert||Enabled/Disabled||Disabled||If checked, the Agent will use the specified client when connecting to the Mediator; otherwise, no Agent certificate will be used (default).|
|UserActivityMonitorHistory||1-24||24||The maximum number of hours to keep User Activity Monitor history.|
|UserActivityMonitorInterval||3-86400||30||The polling interval in seconds for the User Activity Monitor|
|Unidirectional Agent Group|
|Enabled||True/False||False||Check to enable unidirectional Agent communications with the Data Processor|
No Hash, SHA256, SHA512
|No Hash||The hash to use when sending messages from the unidirectional Agent to the Data Processor.|
Specifies the Data Processor port to use when running in unidirectional Agent mode.