Modify System Monitor Basic Properties
You can modify basic System Monitor properties using the tabs in the System Monitor Agent Properties window.
- On the main toolbar, click Deployment Manager.
- Click the System Monitors tab.
- Right-click the System Monitor you want to configure, and then click Properties.
- Configure the values according to the information in the following table, and then click OK.
If you have the correct permissions but are unable to modify an Agent's settings, it likely has a configuration policy applied. Look at the Agent Settings tab of the properties dialogue box to see if there is a policy listed under Configuration Policy. For more information, see System Monitor Configuration Policy Manager.
Agent Settings Tab
| Property | Agent Settings Tab Description |
|---|---|
Host Agent is Installed on | The default Host record log messages collected by the System Monitor should be assigned to. This value can be overridden at the Message Source level. |
System Monitor Agent Name | Enter a unique name for the System Monitor. The name cannot be same as an existing or previously deleted System Monitor. |
| Configuration Policy | Select a configuration policy to apply to the agent. |
Host OS Type | Specify whether the agent is installed on a Windows, Linux, Solaris, AIX, or HP-UX host.
Linux Debian/Ubuntu is supported.
|
| Heartbeat Warning Interval | Specify a value between 1 minute and 30 days. This is the amount of time that a heartbeat signal from this Agent can be late by, before a Missing Heartbeat Warning event is generated. Warnings continue to be generated at this interval until a heartbeat is successfully received. The default value is one minute, or 60 seconds.
To avoid generating unnecessary events, it is recommended that the minimum Heartbeat Warning Interval be set to CycleTime * HeartbeatInterval. You may want to add some extra time to account for network or environmental latency. For more information about these advanced Agent properties, see Modify System Monitor Advanced Properties.
|
Data Processor Settings Tab
| Property | Data Processor Settings Tab Description |
|---|---|
| Data Processors to Use | Select and configure Data Processors the agent should forward logs to. Determine order in which Data Processors are used by increasing or decreasing the priority. The first checked Data Processor in the list has the highest priority. An Agent can only connect to one Data Processor at a time, but tries other Data Processors if the primary is unavailable. Reorder the entries to set the priority. For Agents that collect load balanced log sources, select all available Data Processors that are used for load balancing for that set of Agents. For example, Agents 1, 2, and 3 are load balanced and sending logs to Data Processors A, B and C. Agents 4, 5, and 6 are load balanced and sending logs to Data Processors X, Y, and Z. When configuring the System Monitor Agent Properties for Agent 2, you will see all available Data Processors in the Data Processors to Use section. You would select Data Processors A, B, and C to prevent errors in data processing. For more information, see Load Balancing. You can set them to any priority order, but if all load balanced Agents don’t include the same Data Processors in their configuration, the Data Processors receiving load balanced log sources data from load balanced Agents will fail to process the data. .png?inst-v=d2b7e8fa-5bc6-4186-b86c-afff31901f6a) The following warning in scmedsvr.log indicates your load balanced log source agents might be configured incorrectly. **WARNING** Invalid message source ID received from Agent <agent name> (LogSourceId=<ID number>) - no such ID exists in the LogRhythm deployment. |
| Use all Available NICs | Select this to allow the agent to use all available NICs until it is able to connect to the Data Processor. The Agent IP address input option is unavailable if this option is selected. |
| Agent IP/Address Index | Specify the interface that the System Monitor uses for communications to this Data Processor. Valid values for the Agent IP/Address Index are 0-99, or an IP address. Numeric values determine which network interface card to use. A value of 0 is the first available network interface card. An Agent IP address value is the static IP address of the NIC to listen on. Only use an IP address when the IP never changes (no DHCP).
For backward compatibility, Linux and versions of UNIX-based Agents continue to accept eth0-eth99 as a valid interface name.
|
| Agent Port | The local agent port the System Monitor uses to communicate with this Data Processor. The valid range is 0 to to 65535.
A value of 0 is used to allow the agent to auto-negotiate a random high port with the mediator for communication between the two.
|
Syslog and Flow Settings Tab
When processing a syslog, the Agent attempts to parse out the time stamp embedded in the syslog message and uses that value as the collection time (normal message date) for the log rather than the time the Agent received the syslog. If no timestamp can be parsed from the syslog message, the collection time (the time the log was received on the Agent’s syslog interface) is used as the normal message date.
| Property | Syslog and Flow Settings Tab Description |
|---|---|
| Enable Syslog Server | Enables the Windows, Linux, or UNIX Agent component that receives and collects Syslog data. For more information on configuring a secure syslog server, see Configure a Secure Syslog Agent. |
| Syslog Relay Hosts | Entries indicate that the IP address the Agent is receiving the log from, specified in the list. This is not the real source of the message. It is a relaying device. When the Agent sees an IP listed here, it uses special parsing, specified in the Syslog Relay Regular Expressions field, to determine the true source of the traffic. The list should contain a single IP address per line. |
Syslog Relay Regular | Contains Regex strings that serve to identify and parse information from syslog data. Note the following:
|
| Enable Load Balancing | Designates the Agent as one that collects logs from a load balancer. When Agents and Log Sources are marked as load balanced, all such Agents receive the configuration information for load balanced log sources. |
| Load Balanced Group | Open the drop-list and select the load balanced group with which to associate the Agent. For more information on creating load balanced groups, see Load Balanced Agent Groups. |
| Enable JSON Parsing | Enables the Agent component that allows for JSON parsing. |
| Enable IPFIX/NetFlow/J-Flow Server | Enables the Agent component that will receive and collect IPFIX/NetFlow/J-Flow data. |
| Enable sFlow Server | Enables the Agent component that receives and collects sFlow data. If it is disabled, a sFlow listener is not created. |
| Log sFlow Counters | Enables or disables the logging of sFlow counter structures. |
SNMP Trap Receiver Tab
| Property | SNMP Trap Receiver Tab Description |
|---|---|
| Enable SNMP Trap Receiver | Check the box to receive v1, v2c, and v3 SNMP Traps collected from third-party network devices and systems. Default is unchecked. |
| Listener Settings | Enter the IP Address and Port. |
| SNMP v1/v2c | Enter the Community |
| SNMP v3 Authentication | Enter the User, Password, and Confirm Password. Only one user and password is supported. |
| SNMP v3 Encryption | Enter the Password, Confirm Password, and select an Algorithm (3DES, AES, DES) from the list. |
Endpoint Monitoring Tab
File Integrity Monitor
| Property | File Integrity Monitor Tab Description |
|---|---|
| Enable File Integrity Monitor | Check the box to enable File Integrity Monitor (FIM). Default is unchecked. |
| Mode | Enable Standard or Realtime FIM.
Standard and Realtime FIM are included with the System Monitor Lite license for desktop operating systems only. Server operating systems require System Monitor Pro or Collector. For specific operating system support, see Realtime File Integrity Monitor (FIM) Support by Operating System
|
| Enable Realtime Mode Anomaly Detection | If an active FIM Policy is monitoring for Modify events, the Realtime FIM engine recomputes the hash for monitored items after every Modify. If Realtime Mode Anomaly Detection is enabled, the Realtime FIM engine recomputes the hash for each file once every 24 hours. If the hash value has changed since it was last computed, FIM generates a "missed" modify event (MissedModifyAnomalyEvent). |
| Include User Activity Monitor Data (Requires UAM) | If enabled and User Activity Monitor (UAM) is enabled, user logon information is included in the FIM logs. This setting is disabled by default. |
| Policy Name | When File Integrity Monitor is enabled, you must select at least one policy from the list. The field is only enabled when Enable File Integrity Monitor is selected.
The policies are applied consecutively. Each policy selected is applied to the agent.
|
| Preview | Click to open the Directories Monitored With Selected Policies window, which displays directories or files being monitored by the selected policies. |
Registry Integrity Monitor
| Property | Data Loss Defender Tab Description |
|---|---|
| Enable Registry Integrity Monitor | Check the box to enable Registry Integrity Monitor. Default is unchecked. |
| Policy | The field is enabled when the Enable Registry Integrity Monitor box is selected. Select a policy from the list. |
Data Loss Defender
| Property | Data Loss Defender Tab Description |
|---|---|
| Enable Data Loss Defender | Check the box to enable Data Loss Defender (DLD). Default is unchecked. |
| Policy Name | The field is enabled when the Enable Data Loss Defender box is checked. Select a policy from the list. |
Process Monitor
| Property | Process Monitor Tab Description |
|---|---|
| Enable Process Monitor | Check the box to enable Process Monitor. Default is unchecked. |
| Include User Activity Monitor Data (Requires UAM) | If checked and User Activity Monitor (UAM) is enabled, user logon information is included in the FIM logs. Default is unchecked. |
Network Connection Monitor
| Property | Network Connection Monitor Tab Description |
|---|---|
| Enable Network Connection Monitor | Check the box to enable Network Connection Monitor. Default is unchecked. |
| Monitor Inbound TCP Connections | Check the box to monitor Inbound TCP Connections. Default is unchecked. |
| Monitor Outbound TCP Connections | Check the box to monitor Outbound TCP Connections. Default is unchecked. |
| Monitor Listening TCP/UDP Sockets | Check to box to monitor listening on TCP/UDP sockets. |
| Include User Activity Monitor Data (Requires UAM) | If checked and User Activity Monitor (UAM) is enabled, user logon information is included in the FIM logs. Default is unchecked. |
User Activity Monitor
| Property | User Activity Monitor Tab Description |
|---|---|
| Monitor Logon Activity | Check the box to Monitor Logon Activity. Default is unchecked. |
| Monitor Network Session Activity | Check the box to Monitor Network Session Activity. Default is unchecked. |
Monitor Process Activity | Check the box to Monitor Process Activity. Default is unchecked. |
Additional Information Tab
| Property | Additional Information Tab Description |
|---|---|
| Brief Description | A short description of the information. |
| Details | The details of the information. |
Axon Settings Tab
| Property | Axon Settings Tab Description |
|---|---|
| Enable log forwarding to Axon | Check the box to allow a second copy of the logs collected by the System Monitor to be sent to Axon. Default is unchecked. |
| Base URL of Axon APIs | Enter the Axon base API URL. |
| API Key | Enter the Axon API key. |
| Tenant ID | Enter the tenant (directory) ID. |
| Batch Size | Enter a value between 1000 and 10000 to specify the size of each batch sent to Axon. Default value is 1000. |