Performance Counters—LR System Monitor
- Service name. LogRhythm System Monitor Service (scsm)
- Runs on. See the LogRhythm Compatibility and System Monitor Functionality Guide
- Performance Object. LogRhythm System Monitor
Performance Counter | Description |
---|---|
Checkpoint Log Count | The number of Check Point firewall logs processed. |
Checkpoint Logs | The number of Check Point logs processed per second. |
Log Data Queue Size (Kbytes) | The size of the Log Data queue (KB) currently held in the scsm service’s log data memory queue. |
Log Source Virtualization Active Rules | Total number of rules for LSV sources configured on the Agent. |
Log Source Virtualization Matched/Sec | Rate of logs that matched an LSV rule. |
Log Source Virtualization Messages Matched | Total number of logs that matched an LSV rule. |
Log Source Virtualization Messages Parsed | Total number of logs parsed by the LSV processor. |
Log Source Virtualization Parsed/Sec | Rate of logs parsed by the LSV processor. |
Log Source Virtualization Sources | Total number of sources configured with LSV on the Agent. |
Logs Flushed In Session | The total number of logs flushed in this session by the scsm service and sent to the Data Processors since it was last started. |
Netflow Packets Received | The total number of Netflow packets received by the scsm service since it was last started. |
Netflow Packets | The number of NetFlow packets received per second received by the scsm service. |
Netflow Suspense File Count | Total number of NetFlow suspense file created. |
Netflow Suspense Session Log Count | Total number of Netflow logs added in suspense file in current session. |
Number of Filtered Log Messages | Total number of Filtered Messages from LSV sources configured on the Agent. |
Number of Filtered Log Messages/Sec | Total number of Filtered Messages rate from LSV sources configured on the Agent. |
Rate Logs Flushed / Sec | The number of logs flushed to the Data Processor per second by scsm service. |
sFlow Suspense File Count | Total number of sFlow suspense files created. |
sFlow Suspense Session Log Count | Total number of sFlow logs added in suspense file in current session. |
SNMP Suspense File Count | Total number of SNMP suspense files created. |
SNMP Suspense Session Log Count | Total number of SNMP logs added in suspense file in current session. |
Syslog Suspense File Count | Total number of Syslogs suspense files created. |
Syslog Suspense Session Log Count | Total number of Syslogs added in suspense file in current session. |
Syslog TCP Messages Received | The total number of Syslog TCP messages received. |
Syslog TCP Messages Received / Sec | The number of Syslog TCP messages received per second. |
Syslog UDP Messages Received | The total number of Syslog UDP messages received. |
Syslog UDP Messages Received / Sec | The number of Syslog UDP messages received per second. |
If no activity occurs when expected in the System Monitor Agent performance counters listed below:
- Ensure the configuration is correct.
- Check the LogRhythm dashboard for any error or warning events pertaining to the scsm service or the system where the agent is hosted.
- Check the local scsm.log file for any related error messages.
To investigate performance of the scsm service, add the following performance counters to a perfmon console:
- Check Point Logs Processed / Sec. Should show activity when receiving logs from a Check Point firewall if the LogRhythm agent is configured to collect them. If you observe no activity in the counter for extended periods, follow the guidelines listed at the top of this section.
- NetFlow Packets Received / Sec. Should show activity when receiving NetFlow packets if the LogRhythm agent is configured to collect them. If you have the agent configured to receive NetFlow but observe no activity in this counter for extended periods follow the guidelines listed at the top of this section.
- Rate Logs Flushed / Sec. Should show periodic activity when the agent sends log data to a Data Processor. In general, log data is sent to the Data Processor after each log data source is read.
- Syslog Messages Received and Syslog Messages Received / Sec. Should show activity when receiving syslog logs if the LogRhythm agent is configured to collect them. If you observe no activity in the counter for extended periods, follow the guidelines listed at the top of this section.
- SyslogNG Messages Received and SyslogNG Messages Received / Sec. Should show activity when receiving syslog logs if the LogRhythm agent is configured to collect them via a relay host. If you have the agent configured to receive syslog, but observe no activity in this counter for extended periods, follow the guidelines listed at the top of this section.