Skip to main content
Skip table of contents

Configure a System Monitor Agent into DP Pool Mode

You must be logged in as an Administrator to take this action.

In Pool mode, the System Monitor Agent forwards logs to all Data Processors in the DP pool. One Data Processor in the pool is designated as the control DP and receives heartbeats and message source states. If the control DP is unreachable or offline, the Agent designates another DP in the pool as the control DP. DP Pooling is only supported on the Windows Version of the LogRhythm System Monitor Agent. 

LogRhythm recommends using a 7.14 or Higher agent version in conjunction with DP pooling. Minimum agent version is 7.13.

You must create a DP pool and assign DPs to the pool before you can set an Agent to Pool mode. Attempting to set an Agent to Pool mode when there are no DP pools displays an error message:

There are no DP Pools available. Please create a DP Pool with at least one available Data Processor from Menu Tools >> Administration >> Data Processor Pool Manager

To assign the Agent to the DP Pool:

  1. On the main toolbar, click Deployment Manager.
  2. Click the System Monitors tab.
  3. Select the Action check box for the System Monitor you want to configure.
  4. Right-click that System Monitor, and then click Properties.
    The System Monitor Agent Properties window appears.
  5. Click the Data Processor Settings tab.
  6. Under Data Processor Mode, select Pool.

    Pinned mode is selected by default. In Pinned mode, the Agent forwards logs to Data Processors based on priority.

    To select Processors, click the check box next to Processor name. To change the order, click on the Processor name and then click the up or down arrows to the right of the list.

  7. Select the desired pool from the list.

  8. Update your pooled Agents "Flush Batch" Settings through the Advanced button, search for the name "Flush Batch" and cap the value between 5,000 - 10,000. When using DP Pooling a smaller flush batch is preferred to reliably distribute load across the DPs in the pool
  9. Click Apply, and then click OK.

If your agents receive syslog messages from log sources not in their local configuration file, like behind a distribution system such as load balancer or round-robin relay, you should also enable load balancing on the Agent and configure all existing syslog sources as load balanced log sources. If this is not done, then syslogs can be dropped with unknown virtual identification request error messages or due to virtual log source identification request delays.

Enable Load Balancing

  1. In the System Monitor Agent Properties dialog, click the Syslog and Flow Settings tab.

  2. Check Enable Load Balancing.
  3. Click Apply, and then click OK.

Configure a Syslog Source as Load Balanced Log Sources

  1. On the main toolbar, click Deployment Manager.
  2. Click the Log Sources tab.
  3. In the lower grid, select the Action check boxes of the log sources you want to modify.

  4. Right-click the selection, click Actions, and then click Edit Properties.
    The Log Message Source Properties window appears.

  5. Click the Additional Settings tab.
  6. Check Load Balanced Log Source.
  7. Click OK.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.