Purpose
Although similar in function to the Windows Agent, the *nix Agents require different permissions because of the differences in operating systems. All *nix Agents share the same privilege footprint.
UNIX Agents can run under any user context unless syslog monitoring is enabled. Syslog on UNIX defaults to port 514, which requires root access.
Shared Resource
All *nix Agents require full control of their own installation directories.
Registry Access
N/A
Database Access
No Agent communicates directly with a LogRhythm database.
Ports
*nix Agents communicate on the same ports as Windows Agents. However, syslog data collection requires access to port 514.
Other Resources
*nix Agents have a different set of third-party integrations than normal Windows Agents.
|
Log Collection Interface |
Permissions |
|---|---|
|
Flat File Log Collection |
Read permissions to target directories/files |
|
Integrated UDP Syslog Server |
Port only |
|
Integrated TCP Syslog Server |
Port only |
|
System Performance Monitoring |
Local system access |
|
File Integrity Monitoring |
Read permissions to target directories/files |
|
Realtime File Integrity Monitoring |
Read permissions to target directories/files |
|
Process Monitor |
Local system access |
|
Network Connection Monitor |
Local system access |
If Registry Integrity Monitoring is enabled, additional permissions will be required (see the Other Resources item later in this section).
Database Access
An Agent does not require any access to any LogRhythm database. All database communications are handled by the associated Data Processor Mediator service.
Ports
Windows Agent ports can be configured in the Deployment Manager.
-
Click the System Monitors tab.
-
Select and right-click the specific Agent, and then click Properties.
Ports can be found in the Advanced settings, the Data Processor Settings, or the SNMP Trap Receiver tabs.
|
Port |
Default Port |
Inbound/Outbound |
Purpose |
|---|---|---|---|
|
Agent Port |
3333 |
Outbound to Mediator |
Port used to send logs to Mediator |
|
MediatorPort* |
40000 |
Outbound to Mediator |
Data Processor communication port in unidirectional mode (if configured) |
|
NetflowServerPort* |
5500 |
Inbound from IPFIX/NetFlow/J-Flow |
Inbound from IPFIX/NetFlow/J-Flow |
|
SFlowServerUDPPort |
6343 |
Inbound |
Receiver for NetFlow UDB packets (if configured) |
|
SecureSyslogPort* |
6514 |
Inbound from remote sources |
Receiver for secure syslog TCP communications (if configured) |
|
SyslogTCPPort* |
514 |
Inbound |
Receiver for non-secure syslog TCP packets (if configured) |
|
SyslogUDPPort* |
514 |
Inbound |
Receiver for non-secure syslog UDP packets (if configured) |
|
SNMP Trap* |
161 |
Inbound |
Receiver for SNMP logs (if configured) |
|
Remote Windows Events* |
135,137, 138, 139, 445 |
Bidirectional |
Remote Windows Host Event Log collection (if configured) |
|
UDLA* |
Varies by vendor (1433 for SQL Server) |
Bidirectional |
Database query port (varies by database type) |
|
Check Point Firewall* |
18184 |
Bidirectional |
Log collection from Check Point firewalls |
|
Cisco IDS* |
443 |
Bidirectional |
Log collection from Cisco IDS |
|
Nessus* |
8843 |
Bidirectional |
Log collection from Nessus servers |
|
Qualys* |
443 |
Bidirectional |
Log collection from Qualys servers |
|
Metasploit* |
3790 |
Bidirectional |
Log collection from Metasploit |
|
Nexpose* |
3780 |
Bidirectional |
Log collection from NeXpose |
|
Retina* |
1433 |
Bidirectional |
Log collection from Retina |
|
eStreamer* |
4444 |
Bidirectional |
Log collection from eStreamer |
|
IP360 |
443 |
Bidirectional |
Log collection from IP360 |
* If port is configured
Other Resources
The Agents can connect to and/or read from a variety of third-party log sources. Depending on the log source, additional security permissions may be required for the Agent’s user context, or on the third-party system.
|
Log Collection Interface |
Permissions |
|---|---|
|
Flat File Log Collection |
Read permissions to target directories/files |
|
Windows Event Log Collection |
Agent account must be a member of Event Log Readers on target system AND Windows Firewall rules must be enabled for:
|
|
Remote Windows Event Log Collection |
Same as above, only on target remote machine |
|
Integrated UDP Syslog Server |
Port only |
|
Integrated TCP Syslog Server |
Port only |
|
Integrated Secure Syslog Server |
Port only |
|
Integrated NetFlow/J-Flow Server |
Port only |
|
Integrated IPFIX Server |
Port only |
|
Integrated sFlow Server |
Port only |
|
Integrated SNMP Trap Receiver |
Port only |
|
Remote Checkpoint Firewall Log Collection (via LEA) |
Checkpoint API permissions |
|
Remote Cisco IDS Log Collection (via SDEE) |
SDEE API permissions |
|
Remote Database Log Collection (UDLA) |
A database account with read permissions to target tables |
|
System Performance Monitoring |
Account must be member of Performance Log users, Performance Monitor Users, and Event Log Readers groups |
|
Data Loss Defender |
Agent account needs device control (ioctl) on local system |
|
File Integrity Monitoring |
Read permissions to target directories/files |
|
Real Time File Integrity Monitoring |
Read permissions to target directories/files |
|
Realtime Registry Integrity Monitoring |
Read permissions for target registry keys |
|
User Activity Monitoring |
Read permissions for registry keys related to users |
|
Process Monitor |
Local system access |
|
Network Connection Monitor |
Local system access |
|
Qualys Integration |
Qualys API permissions |
|
Nessus Integration |
Nessus API permissions |
|
NeXpose Integration |
NeXpose API permissions |
|
Metasploit Integration |
Metasploit API permissions |
|
Retina Integration |
Retina API permissions |
|
eStreamer Integration |
eStreamer API permissions |
|
IP360 |
IP360 API permissions |
SmartResponse plug-ins are executed from either the ARM or the Windows Agent. In both cases, the SmartResponse runs under the context of the ARM service account. These plug-ins may include privilege escalation, impersonation, or alternate logins. Carefully review the SmartResponse actions you use to determine if any extra privileges are require—or exposed—by the SmartResponse.