The Process Monitor feature of the Windows System Monitor Agent independently monitors when processes start and end on a Windows or UNIX host where the Agent is running. The Agent generates a log when a process starts on the host (log includes process name, owner name, and start time, duration, etc.) and another log when the Agent detects the process has stopped. If User Activity Monitor (UAM) is enabled, the Process Monitor logs contains UAM information to log what users were connected to the host at the time the process was started/stopped.
A LogRhythm Process Monitor log message source type is automatically created for each agent on first connection to the Mediator. The Log Message Source Name is ProcessMonitor. It is associated with the LogRhythm Default policy which contains all available MPE rules. For information on accessing and modifying the log source type, see Modify a Single Log Source.
A LogRhythm Default policy exists for Process Monitor in the Knowledge Base file. To access the Log Processing Policy and its associated MPE Rules, see Modify Log Processing Policies.
MPE Rules exist for Process Monitor in the MPE Rule Builder. Specific settings can be viewed and modified from within the Process Monitor Log Processing Policy.
Process Monitor logs can be queried using Investigator, monitored in Personal Dashboard and Tail, and restored using LogRhythm’s Archive Restoration tool SecondLook.