You can modify basic System Monitor properties using the tabs in the System Monitor Agent Properties window.

  1. On the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Right-click the System Monitor you want to configure, and then click Properties.
  4. Configure the values according to the information in the following table, and then click OK.

If you have the correct permissions but are unable to modify an Agent's settings, it likely has a configuration policy applied. Look at the Agent Settings tab of the properties dialogue box to see if there is a policy listed under Configuration Policy. For more information, see System Monitor Configuration Policy Manager.

Agent Settings Tab

PropertyAgent Settings Tab Description

Host Agent is Installed on

The default Host record log messages collected by the System Monitor should be assigned to. This value can be overridden at the Message Source level.

System Monitor Agent Name

Enter a unique name for the System Monitor. The name cannot be same as an existing or previously deleted System Monitor.

Configuration PolicySelect a configuration policy to apply to the agent.

Host OS Type

Specify whether the agent is installed on a Windows, Linux, Solaris, AIX, or HP-UX host.

Linux Debian/Ubuntu is supported.
Heartbeat
Warning Interval

Specify a value between 1 minute and 30 days. This is the amount of time that a heartbeat signal from this Agent can be late by, before a Missing Heartbeat Warning event is generated. Warnings continue to be generated at this interval until a heartbeat is successfully received. The default value is one minute, or 60 seconds.

To avoid generating unnecessary events, it is recommended that the minimum Heartbeat Warning Interval be set to CycleTime * HeartbeatInterval. You may want to add some extra time to account for network or environmental latency. For more information about these advanced Agent properties, see Modify System Monitor Advanced Properties.

Data Processor Settings Tab

PropertyData Processor Settings Tab Description
Data Processors to Use

Select and configure Data Processors the agent should forward logs to. Determine order in which Data Processors are used by increasing or decreasing the priority. The first checked Data Processor in the list has the highest priority. An Agent can only connect to one Data Processor at a time, but tries other Data Processors if the primary is unavailable. Reorder the entries to set the priority.

For Agents that collect load balanced log sources, select all available Data Processors that are used for load balancing for that set of Agents. For example, Agents 1, 2, and 3 are load balanced and sending logs to Data Processors A, B and C. Agents 4, 5, and 6 are load balanced and sending logs to Data Processors X, Y, and Z. When configuring the System Monitor Agent Properties for Agent 2, you will see all available Data Processors in the Data Processors to Use section. You would select Data Processors A, B, and C to prevent errors in data processing. For more information, see Load Balancing.

You can set them to any priority order, but if all load balanced Agents don’t include the same Data Processors in their configuration, the Data Processors receiving load balanced log sources data from load balanced Agents will fail to process the data.

The following warning in scmedsvr.log indicates your load balanced log source agents might be configured incorrectly. **WARNING** Invalid message source ID received from Agent <agent name> (LogSourceId=<ID number>) - no such ID exists in the LogRhythm deployment.

Use all Available NICsSelect this to allow the agent to use all available NICs until it is able to connect to the Data Processor. The Agent IP address input option is unavailable if this option is selected.
Agent IP/Address Index

Specify the interface that the System Monitor uses for communications to this Data Processor. Valid values for the Agent IP/Address Index are 0-99, or an IP address. Numeric values determine which network interface card to use. A value of 0 is the first available network interface card. An Agent IP address value is the static IP address of the NIC to listen on. Only use an IP address when the IP never changes (no DHCP).

For backward compatibility, Linux and versions of UNIX-based Agents continue to accept eth0-eth99 as a valid interface name.
Agent Port

The local agent port the System Monitor uses to communicate with this Data Processor. The valid range is 0 to to 65535.

A value of 0 is used to allow the agent to auto-negotiate a random high port with the mediator for communication between the two.

Syslog and Flow Settings Tab

When processing a syslog, the Agent attempts to parse out the time stamp embedded in the syslog message and uses that value as the collection time (normal message date) for the log rather than the time the Agent received the syslog. If no timestamp can be parsed from the syslog message, the collection time (the time the log was received on the Agent’s syslog interface) is used as the normal message date.

PropertySyslog and Flow Settings Tab Description
Enable Syslog ServerEnables the Windows, Linux, or UNIX Agent component that receives and collects Syslog data. For more information on configuring a secure syslog server, see Configure a Secure Syslog Agent.
Syslog Relay Hosts

Entries indicate that the IP address the Agent is receiving the log from, specified in the list. This is not the real source of the message. It is a relaying device. When the Agent sees an IP listed here, it uses special parsing, specified in the Syslog Relay Regular Expressions field, to determine the true source of the traffic. The list should contain a single IP address per line.

Syslog Relay Regular
Expressions

Contains Regex strings that serve to identify and parse information from syslog data. Note the following:

  • If a syslog sending device's IP address is contained in the Syslog Relay Hosts field, then these Regex strings are used to find and parse out the host identifier information. The host identifier information can be either an IP address or a host name. If none of the Regex strings in this field successfully parse out a hostidentifier then the IP address of the sending device is used as the host identifier.
  • This field should contain a single Regex string per line.
  • The regex is case sensitive.
  • The regex match is done against the pre-processed log with the syslog header, not against the raw log after it reaches the Data Processor.
  • The following Regex tags are valid within the syslog Regex strings:
    • priority
    • message
    • year
    • month
    • day
    • hour
    • minute
    • seconds
    • hostidentifier
Enable Load BalancingDesignates the Agent as one that collects logs from a load balancer. When Agents and Log Sources are marked as load balanced, all such Agents receive the configuration information for load balanced log sources.
Enable IPFIX/NetFlow/J-Flow ServerEnables the Agent component that will receive and collect IPFIX/NetFlow/J-Flow data.
Enable sFlow ServerEnables the Agent component that receives and collects sFlow data. If it is disabled, a sFlow listener is not created.
Log sFlow CountersEnables or disables the logging of sFlow counter structures.

SNMP Trap Receiver Tab

PropertySNMP Trap Receiver Tab Description
Enable SNMP
Trap Receiver
Check this box to receive v1, v2c, and v3 SNMP Traps collected from third-party network devices and systems. Default is unchecked.
Listener SettingsEnter the IP Address and Port.
SNMP v1/v2cEnter the Community
SNMP v3
Authentication
Enter the User, Password, and Confirm Password. Only one user and password is supported.
SNMP v3 EncryptionEnter the Password, Confirm Password, and select an Algorithm (3DES, AES, DES) from the list.

Endpoint Monitoring Tab

File Integrity Monitor

PropertyFile Integrity Monitor Tab Description
Enable File Integrity MonitorSelect this option to enable File Integrity Monitor (FIM). This option is disabled by default.
Mode

Enable Standard or Realtime FIM.

Standard and Realtime FIM are included with the System Monitor Lite license for desktop operating systems only. Server operating systems require System Monitor Pro or Collector. For specific operating system support, see Realtime File Integrity Monitor (FIM) Support by Operating System
Enable Realtime Mode Anomaly DetectionIf an active FIM Policy is monitoring for Modify events, the Realtime FIM engine recomputes the hash for monitored items after every Modify.

If Realtime Mode Anomaly Detection is enabled, the Realtime FIM engine recomputes the hash for each file once every 24 hours. If the hash value has changed since it was last computed, FIM generates a "missed" modify event (MissedModifyAnomalyEvent).

Include User Activity Monitor Data (Requires UAM)If enabled and User Activity Monitor (UAM) is enabled, user logon information is included in the FIM logs. This setting is disabled by default.
Policy Name

When File Integrity Monitor is enabled, you must select at least one policy from the list. The field is only enabled when Enable File Integrity Monitor is selected.

The policies are applied consecutively. Each policy selected is applied to the agent.
PreviewClick to open the Directories Monitored With Selected Policies window, which displays directories or files being monitored by the selected policies.

Registry Integrity Monitor

PropertyData Loss Defender Tab Description
Enable Registry Integrity MonitorCheck the box to enable Registry Integrity Monitor. Default is unchecked.
PolicyThe field is enabled when the Enable Registry Integrity Monitor box is selected. Select a policy from the list.

 Data Loss Defender

PropertyData Loss Defender Tab Description
Enable Data Loss DefenderSelect the box to enable Data Loss Defender (DLD). Default is unchecked.
Policy NameThe field is enabled when the Enable Data Loss Defender box is checked. Select a policy from the list.

Process Monitor

PropertyProcess Monitor Tab Description
Enable Process MonitorCheck the box to enable Process Monitor. Default is unchecked.
Include User Activity Monitor Data (Requires UAM)If checked and User Activity Monitor (UAM) is enabled, user logon information is included in the FIM logs. Default is unchecked.

Network Connection Monitor

PropertyNetwork Connection Monitor Tab Description
Enable Network Connection MonitorCheck the box to enable Network Connection Monitor. Default is unchecked.
Monitor Inbound TCP ConnectionsCheck the box to monitor Inbound TCP Connections. Default is unchecked.
Monitor Outbound TCP ConnectionsCheck the box to monitor Outbound TCP Connections. Default is unchecked.
Monitor Listening TCP/UDP SocketsCheck to box to monitor listening on TCP/UDP sockets.
Include User Activity Monitor Data (Requires UAM)If checked and User Activity Monitor (UAM) is enabled, user logon information is included in the FIM logs. Default is unchecked.

User Activity Monitor

PropertyUser Activity Monitor Tab Description
Monitor Logon ActivityCheck the box to Monitor Logon Activity. Default is unchecked.
Monitor Network Session ActivityCheck the box to Monitor Network Session Activity. Default is unchecked.

Monitor Process Activity

Check the box to Monitor Process Activity. Default is unchecked.

Additional Information Tab

PropertyAdditional Information Tab Description
Brief DescriptionA short description of the information.
DetailsThe details of the information.

Axon Settings Tab

PropertyAxon Settings Tab Description
Enable log forwarding to AxonCheck to allow the log source to be sent to Axon.
Base URL of Axon APIsEnter the Axon base API URL.
API KeyEnter the Axon API key.
Tenant IDEnter the tenant (directory) ID.
Batch SizeEnter a value between 1000 and 10000 to determine the size of each batch sent to Axon.