Least Privileged User: SysMon, Windows
Purpose
The Agent performs a variety of functions at the most local/granular level for LogRhythm. Depending on the platform (AIX, Windows, etc.) and which services are turned on, the Agent may require elevated privileges to perform the following actions:
- Read log sources from local or remote sources
- Monitor registry integrity
- Execute Data Loss Defender functions
- Monitor processes
- Monitor network connections
- Monitor user activity
- Perform File Integrity Monitoring (FIM)
- Execute database queries to generate logs
- Capture SNMP traps
- Execute SmartResponses locally
Shared Resources
| Read | Write | Read & Execute | Modify | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|
| <LogRhythm Installation Directory Path>\LogRhythm\LogRhythm System Monitor | X |
Depending on which collection features are enabled, the Agent may need read access to additional directories. See the Other Resources item later in this section for specifics.
Registry Access
| Read Control | Write Owner | Write DAC | Delete | Create Link | Enumerate Subkeys | Set Value | Query Value | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|---|---|---|---|
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Security | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\eventlog\Application | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\LogRhythm System Monitor | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\scsm | X | |||||||||
| HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Perflib | X | |||||||||
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Perflib | X | |||||||||
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET CLR Data | X | X | ||||||||
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET CLR Networking | X | X | ||||||||
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET CLR Networking 4.0.0.0 | X | X | ||||||||
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET Data Provider for Oracle | X | X | ||||||||
| HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET Data Provider for SqlServer | X | X |
If Registry Integrity Monitoring is enabled, additional permissions will be required (see the Other Resources item later in this section).
Database Access
An Agent does not require any access to any LogRhythm database. All database communications are handled by the associated Data Processor Mediator service.
Ports
Windows Agent ports can be configured in the Deployment Manager.
- Click the System Monitors tab.
- Select and right-click the specific Agent, and then click Properties.
Ports can be found in the Advanced settings, the Data Processor Settings, or the SNMP Trap Receiver tabs.
| Port | Default Port | Inbound/Outbound | Purpose |
|---|---|---|---|
| Agent Port | 3333 | Outbound to Mediator | Port used to send logs to Mediator |
| MediatorPort* | 40000 | Outbound to Mediator | Data Processor communication port in unidirectional mode (if configured) |
| NetflowServerPort* | 5500 | Inbound from IPFIX/NetFlow/J-Flow | Inbound from IPFIX/NetFlow/J-Flow |
| SFlowServerUDPPort | 6343 | Inbound | Receiver for NetFlow UDB packets (if configured) |
| SecureSyslogPort* | 6514 | Inbound from remote sources | Receiver for secure syslog TCP communications (if configured) |
| SyslogTCPPort* | 514 | Inbound | Receiver for non-secure syslog TCP packets (if configured) |
| SyslogUDPPort* | 514 | Inbound | Receiver for non-secure syslog UDP packets (if configured) |
| SNMP Trap* | 161 | Inbound | Receiver for SNMP logs (if configured) |
| Remote Windows Events* | 135,137, 138, 139, 445 | Bidirectional | Remote Windows Host Event Log collection (if configured) |
| UDLA* | Varies by vendor (1433 for SQL Server) | Bidirectional | Database query port (varies by database type) |
| Check Point Firewall* | 18184 | Bidirectional | Log collection from Check Point firewalls |
| Cisco IDS* | 443 | Bidirectional | Log collection from Cisco IDS |
| Nessus* | 8843 | Bidirectional | Log collection from Nessus servers |
| Qualys* | 443 | Bidirectional | Log collection from Qualys servers |
| Metasploit* | 3790 | Bidirectional | Log collection from Metasploit |
| Nexpose* | 3780 | Bidirectional | Log collection from NeXpose |
| Retina* | 1433 | Bidirectional | Log collection from Retina |
| eStreamer* | 4444 | Bidirectional | Log collection from eStreamer |
| IP360 | 443 | Bidirectional | Log collection from IP360 |
* If port is configured
Other Resources
The Agents can connect to and/or read from a variety of third-party log sources. Depending on the log source, additional security permissions may be required for the Agent’s user context, or on the third-party system.
| Log Collection Interface | Permissions |
|---|---|
| Flat File Log Collection | Read permissions to target directories/files |
| Windows Event Log Collection | Agent account must be a member of Event Log Readers on target system AND Windows Firewall rules must be enabled for:
|
| Remote Windows Event Log Collection | Same as above, only on target remote machine |
| Integrated UDP Syslog Server | Port only |
| Integrated TCP Syslog Server | Port only |
| Integrated Secure Syslog Server | Port only |
| Integrated NetFlow/J-Flow Server | Port only |
| Integrated IPFIX Server | Port only |
| Integrated sFlow Server | Port only |
| Integrated SNMP Trap Receiver | Port only |
| Remote Checkpoint Firewall Log Collection (via LEA) | Checkpoint API permissions |
| Remote Cisco IDS Log Collection (via SDEE) | SDEE API permissions |
| Remote Database Log Collection (UDLA) | A database account with read permissions to target tables |
| System Performance Monitoring | Account must be member of Performance Log users, Performance Monitor Users, and Event Log Readers groups |
| Data Loss Defender | Agent account needs device control (ioctl) on local system |
| File Integrity Monitoring | Read permissions to target directories/files |
| Real Time File Integrity Monitoring | Read permissions to target directories/files |
| Realtime Registry Integrity Monitoring | Read permissions for target registry keys |
| User Activity Monitoring | Read permissions for registry keys related to users |
| Process Monitor | Local system access |
| Network Connection Monitor | Local system access |
| Qualys Integration | Qualys API permissions |
| Nessus Integration | Nessus API permissions |
| NeXpose Integration | NeXpose API permissions |
| Metasploit Integration | Metasploit API permissions |
| Retina Integration | Retina API permissions |
| eStreamer Integration | eStreamer API permissions |
| IP360 | IP360 API permissions |
SmartResponse plug-ins are executed from either the ARM or the Windows Agent. In both cases, the SmartResponse runs under the context of the ARM service account. These plug-ins may include privilege escalation, impersonation, or alternate logins. Carefully review the SmartResponse actions you use to determine if any extra privileges are require—or exposed—by the SmartResponse.