The Network Connection Monitor (NCM) feature of the Windows System Monitor Agent independently monitors when network connections are opened and closed on a Windows or UNIX host where a LogRhythm Agent is running and configured to do so. The Agent generates a log when a connection opens on the host (log includes protocol, local IP address and port, remote IP address and port, open time, close time, duration, etc.) and another log when the Agent detects the connection has been closed. If User Activity Monitor (UAM) is enabled, the Network Connection Monitor logs contain UAM information to log what users were connected to the host at the time the connection was opened/closed.
A LogRhythm Network Connection Monitor log message source type is automatically created for each agent on first connection to the Mediator. The Log Message Source Name is NetworkConnectionMonitor. It is associated with the LogRhythm Default policy which contains all available MPE rules. For information on accessing and modifying the log source type, see Modify a Single Log Source.
A LogRhythm Default policy exists for Network Connection Monitor in the Knowledge Base file. To access the Log Processing Policy and its associated MPE Rules, see Modify Log Processing Policies.