Skip to main content
Skip table of contents

Least Privileged User: SysMon, Linux, Unix

Purpose

Although similar in function to the Windows Agent, the *nix Agents require different permissions because of the differences in operating systems. All *nix Agents share the same privilege footprint.

UNIX Agents can run under any user context unless syslog monitoring is enabled. Syslog on UNIX defaults to port 514, which requires root access.

Shared Resource

All *nix Agents require full control of their own installation directories.

Registry Access

N/A

Database Access

No Agent communicates directly with a LogRhythm database.

Ports

*nix Agents communicate on the same ports as Windows Agents. However, syslog data collection requires access to port 514.

Other Resources

*nix Agents have a different set of third-party integrations than normal Windows Agents.

Log Collection InterfacePermissions
Flat File Log CollectionRead permissions to target directories/files
Integrated UDP Syslog ServerPort only
Integrated TCP Syslog ServerPort only
System Performance MonitoringLocal system access
File Integrity MonitoringRead permissions to target directories/files
Realtime File Integrity MonitoringRead permissions to target directories/files
Process MonitorLocal system access
Network Connection MonitorLocal system access

If Registry Integrity Monitoring is enabled, additional permissions will be required (see the Other Resources item later in this section).

Database Access

An Agent does not require any access to any LogRhythm database. All database communications are handled by the associated Data Processor Mediator service.

Ports

Windows Agent ports can be configured in the Deployment Manager.

  1. Click the System Monitors tab.
  2. Select and right-click the specific Agent, and then click Properties.

    Ports can be found in the Advanced settings, the Data Processor Settings, or the SNMP Trap Receiver tabs.

PortDefault PortInbound/OutboundPurpose
Agent Port3333Outbound to MediatorPort used to send logs to Mediator
MediatorPort*40000Outbound to MediatorData Processor communication port in unidirectional mode (if configured)
NetflowServerPort*5500Inbound from IPFIX/NetFlow/J-FlowInbound from IPFIX/NetFlow/J-Flow
SFlowServerUDPPort6343InboundReceiver for NetFlow UDB packets (if configured)
SecureSyslogPort*6514Inbound from remote sourcesReceiver for secure syslog TCP communications (if configured)
SyslogTCPPort*514InboundReceiver for non-secure syslog TCP packets (if configured)
SyslogUDPPort*514InboundReceiver for non-secure syslog UDP packets (if configured)
SNMP Trap*161InboundReceiver for SNMP logs (if configured)
Remote Windows Events*135,137, 138, 139, 445BidirectionalRemote Windows Host Event Log collection (if configured)
UDLA*Varies by vendor (1433 for SQL Server)BidirectionalDatabase query port (varies by database type)
Check Point Firewall*18184BidirectionalLog collection from Check Point firewalls
Cisco IDS*443BidirectionalLog collection from Cisco IDS
Nessus*8843BidirectionalLog collection from Nessus servers
Qualys*443BidirectionalLog collection from Qualys servers
Metasploit*3790BidirectionalLog collection from Metasploit
Nexpose*3780BidirectionalLog collection from NeXpose
Retina*1433BidirectionalLog collection from Retina
eStreamer*4444BidirectionalLog collection from eStreamer
IP360443BidirectionalLog collection from IP360

* If port is configured

Other Resources

The Agents can connect to and/or read from a variety of third-party log sources. Depending on the log source, additional security permissions may be required for the Agent’s user context, or on the third-party system.

Log Collection InterfacePermissions
Flat File Log CollectionRead permissions to target directories/files
Windows Event Log Collection

Agent account must be a member of Event Log Readers on target system AND Windows Firewall rules must be enabled for:

  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)
Remote Windows Event Log CollectionSame as above, only on target remote machine
Integrated UDP Syslog ServerPort only
Integrated TCP Syslog ServerPort only
Integrated Secure Syslog ServerPort only
Integrated NetFlow/J-Flow ServerPort only
Integrated IPFIX ServerPort only
Integrated sFlow ServerPort only
Integrated SNMP Trap ReceiverPort only
Remote Checkpoint Firewall Log Collection (via LEA)Checkpoint API permissions
Remote Cisco IDS Log Collection (via SDEE)SDEE API permissions
Remote Database Log Collection (UDLA)A database account with read permissions to target tables
System Performance MonitoringAccount must be member of Performance Log users, Performance Monitor Users, and Event Log Readers groups
Data Loss DefenderAgent account needs device control (ioctl) on local system
File Integrity MonitoringRead permissions to target directories/files
Real Time File Integrity MonitoringRead permissions to target directories/files
Realtime Registry Integrity MonitoringRead permissions for target registry keys
User Activity MonitoringRead permissions for registry keys related to users
Process MonitorLocal system access
Network Connection MonitorLocal system access
Qualys IntegrationQualys API permissions
Nessus IntegrationNessus API permissions
NeXpose IntegrationNeXpose API permissions
Metasploit IntegrationMetasploit API permissions
Retina IntegrationRetina API permissions
eStreamer IntegrationeStreamer API permissions
IP360IP360 API permissions

SmartResponse plug-ins are executed from either the ARM or the Windows Agent. In both cases, the SmartResponse runs under the context of the ARM service account. These plug-ins may include privilege escalation, impersonation, or alternate logins. Carefully review the SmartResponse actions you use to determine if any extra privileges are require—or exposed—by the SmartResponse.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.