Collect Non-Domain Logs Remotely
You can configure system monitors and remote hosts for remote log collection without the use of a domain account. This method of log collection is generally used when there is a remote host where log management is required that is either on a separate domain or is a member of a workgroup. The optimal configuration in this circumstance is to deploy an agent on the remote host and configure it to forward logs to a data processor. The following process is a suitable alternative to that configuration and uses reliable TCP-based windows protocols for authentication and log collection.
Prerequisites
- All LogRhythm components must be installed and configured both in the database and initialization files.
The following standard Windows NETBIOS TCP/UDP ports must be open between the server hosting the LogRhythm Agent and the remotely collected host.
Protocol Port TCP 135 UDP 137 UDP 138 TCP 139 - A valid network path must exist between the server hosting the LogRhythm Agent and the remote host.
Setup
- Create a new account on the server hosting the LogRhythm Agent.
The account needs no special privileges if it does not collect logs from domain windows hosts. - Set up an account on each remote host where collections originate with the same username and password as the account you created in the first step.
- This user account must be added to the local system Administrators and Event Log Readers groups for proper windows event log collection.
- (Optional) If you want flat file log collection on a remote host, share the folder containing the log files. Be sure to set the permissions on the share so that only the account created for log collection is allowed to access the share.
- Under Administrative Tools on the Agent's server, open the Services panel.
- Open the Properties page for the scsm service.
- Configure the Agent to log on using the account created in the previous steps.
- Start the scsm service.
- Review the scsm.log file to ensure logs are being collected from the remote hosts.
- Review logs collected from the remote hosts to ensure they have correct data.