Generic JSON Collector
This feature is supported for 64-bit Windows System Monitor Agents running version 7.20.0 or later, in environments with a core version of 7.20.0 or higher.
The 64-bit System Monitor Agent can begin consuming JSON data from third-party or custom collectors on ports 6044 (TCP) and 7044 (UDP) by default once the Enable JSON Parsing option is enabled in the System Monitor Basic Properties.
Any JSON data can be sent to the System Monitor from a third-party tool or custom collector, and you can create a custom policy file or create a custom log source for data classification and event generation.
When the System Monitor service starts with JSON parsing enabled, two new ports are set up to listen for generic JSON data: one for TCP and another for UDP. Users can enable, disable, or modify the port settings in the JSON Parser Group in the System Monitor Advanced Properties.
Starting with LogRhythm SIEM version 7.24 and Open Collector version 2026.04, your own secure SSL certificates can be used to configure System Monitor Agents and the JSON Listener. See the JSON Parser section of the Modify System Monitor Advanced Properties topic for more information.
Generic JSON Parsing Process
The Generic JSON Collector processes incoming data through the following pipeline:
Listen: The agent listens on configurable TCP and UDP ports for incoming JSON data.
Convert: Raw byte streams are converted to JSON objects.
Filter: Each JSON object is matched against loaded policy files using filter expressions.
Parse: The matching policy's transforms map JSON fields to LogRhythm schema fields.
Output: Parsed records are forwarded to the mediator for indexing.
Prerequisites
Before creating custom policy files or log sources, ensure the following:
You have System Monitor Agent version 7.20.0 or higher (64-bit Windows) installed.
JSON Parsing is enabled on the agent:
In the SIEM console, navigate to Deployment Manager > System Monitors.
Open the System Monitor properties.
On the Basic tab, check Enable JSON Parsing.
On the Advanced tab, expand the JSON Parser Group to configure ports as follows:
Agent Advanced Property | Range | Default | Description |
|---|---|---|---|
| Any valid port number |
| The TCP port on which the agent listens for JSON data from a third-party or custom collector. |
| Enabled / Disabled | Enabled | Enables or disables the TCP listening port for generic JSON data. |
| Any valid port number |
| The UDP port on which the agent listens for JSON data from a third-party or custom collector. |
| Enabled / Disabled | Enabled | Enables or disables the UDP listening port for generic JSON data. |
Policy Files
A policy file is a JSON file that tells the Generic JSON Collector how to:
Identify which incoming JSON messages belong to a specific source (using a filter); and
Map JSON fields to LR schema fields (using transforms).
For information on using the LogRhythm Policy Builder to create or edit your own custom policies, refer to the JSON Policy Builder documentation.
Policy File Locations
Policy files are stored in two directories on the agent machine:
Directory | Purpose |
|---|---|
| System-provided policies shipped with the agent. Do not modify these files. |
| Your custom policies. Place all custom .json files here. |
Both directories are created automatically the first time the System Monitor Agent starts with JSON parsing enabled.
On a default installation, the custom policies directory is:
C:\Program Files\LogRhythm\LogRhythm System Monitor\policies\custompolicies\Custom policies are evaluated before system policies, meaning a custom policy for a source type takes precedence over a matching system policy. This means you can safely override a system policy by placing a custom policy with a more specific filter in the custompolicies folder without modifying the system files, and your custom policies will not be overwritten when you upgrade the agent.