Skip to main content
Skip table of contents

Least Privileged User: SysMon, Windows


The Agent performs a variety of functions at the most local/granular level for LogRhythm. Depending on the platform (AIX, Windows, etc.) and which services are turned on, the Agent may require elevated privileges to perform the following actions:

  • Read log sources from local or remote sources
  • Monitor registry integrity
  • Execute Data Loss Defender functions
  • Monitor processes
  • Monitor network connections
  • Monitor user activity
  • Perform File Integrity Monitoring (FIM)
  • Execute database queries to generate logs
  • Capture SNMP traps
  • Execute SmartResponses locally

Shared Resources

ReadWriteRead & ExecuteModifyFull ControlChildren Inherent
<LogRhythm Installation Directory Path>\LogRhythm\LogRhythm System Monitor


Depending on which collection features are enabled, the Agent may need read access to additional directories. See the Other Resources item later in this section for specifics.

Registry Access

Read ControlWrite OwnerWrite DACDeleteCreate LinkEnumerate SubkeysSet ValueQuery ValueFull ControlChildren Inherent
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\LogRhythm System MonitorXXXXXXXX

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Perflib


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET CLR DataX

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET CLR NetworkingX

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET CLR Networking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET Data Provider for OracleX

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\.NET Data Provider for SqlServerX


If Registry Integrity Monitoring is enabled, additional permissions will be required (see the Other Resources item later in this section).

Database Access

An Agent does not require any access to any LogRhythm database. All database communications are handled by the associated Data Processor Mediator service.


Windows Agent ports can be configured in the Deployment Manager.

  1. Click the System Monitors tab.
  2. Select and right-click the specific Agent, and then click Properties.

    Ports can be found in the Advanced settings, the Data Processor Settings, or the SNMP Trap Receiver tabs.

PortDefault PortInbound/OutboundPurpose
Agent Port3333Outbound to MediatorPort used to send logs to Mediator
MediatorPort*40000Outbound to MediatorData Processor communication port in unidirectional mode (if configured)
NetflowServerPort*5500Inbound from IPFIX/NetFlow/J-FlowInbound from IPFIX/NetFlow/J-Flow
SFlowServerUDPPort6343InboundReceiver for NetFlow UDB packets (if configured)
SecureSyslogPort*6514Inbound from remote sourcesReceiver for secure syslog TCP communications (if configured)
SyslogTCPPort*514InboundReceiver for non-secure syslog TCP packets (if configured)
SyslogUDPPort*514InboundReceiver for non-secure syslog UDP packets (if configured)
SNMP Trap*161InboundReceiver for SNMP logs (if configured)
Remote Windows Events*135,137, 138, 139, 445BidirectionalRemote Windows Host Event Log collection (if configured)
UDLA*Varies by vendor (1433 for SQL Server)BidirectionalDatabase query port (varies by database type)
Check Point Firewall*18184BidirectionalLog collection from Check Point firewalls
Cisco IDS*443BidirectionalLog collection from Cisco IDS
Nessus*8843BidirectionalLog collection from Nessus servers
Qualys*443BidirectionalLog collection from Qualys servers
Metasploit*3790BidirectionalLog collection from Metasploit
Nexpose*3780BidirectionalLog collection from NeXpose
Retina*1433BidirectionalLog collection from Retina
eStreamer*4444BidirectionalLog collection from eStreamer
IP360443BidirectionalLog collection from IP360

* If port is configured

Other Resources

The Agents can connect to and/or read from a variety of third-party log sources. Depending on the log source, additional security permissions may be required for the Agent’s user context, or on the third-party system.

Log Collection InterfacePermissions
Flat File Log CollectionRead permissions to target directories/files
Windows Event Log Collection

Agent account must be a member of Event Log Readers on target system AND Windows Firewall rules must be enabled for:

  • Remote Event Log Management (NP-In)
  • Remote Event Log Management (RPC)
  • Remote Event Log Management (RPC-EPMAP)
Remote Windows Event Log CollectionSame as above, only on target remote machine
Integrated UDP Syslog ServerPort only
Integrated TCP Syslog ServerPort only
Integrated Secure Syslog ServerPort only
Integrated NetFlow/J-Flow ServerPort only
Integrated IPFIX ServerPort only
Integrated sFlow ServerPort only
Integrated SNMP Trap ReceiverPort only
Remote Checkpoint Firewall Log Collection (via LEA)Checkpoint API permissions
Remote Cisco IDS Log Collection (via SDEE)SDEE API permissions
Remote Database Log Collection (UDLA)A database account with read permissions to target tables
System Performance MonitoringAccount must be member of Performance Log users, Performance Monitor Users, and Event Log Readers groups
Data Loss DefenderAgent account needs device control (ioctl) on local system
File Integrity MonitoringRead permissions to target directories/files
Real Time File Integrity MonitoringRead permissions to target directories/files
Realtime Registry Integrity MonitoringRead permissions for target registry keys
User Activity MonitoringRead permissions for registry keys related to users
Process MonitorLocal system access
Network Connection MonitorLocal system access
Qualys IntegrationQualys API permissions
Nessus IntegrationNessus API permissions
NeXpose IntegrationNeXpose API permissions
Metasploit IntegrationMetasploit API permissions
Retina IntegrationRetina API permissions
eStreamer IntegrationeStreamer API permissions
IP360IP360 API permissions

SmartResponse plug-ins are executed from either the ARM or the Windows Agent. In both cases, the SmartResponse runs under the context of the ARM service account. These plug-ins may include privilege escalation, impersonation, or alternate logins. Carefully review the SmartResponse actions you use to determine if any extra privileges are require—or exposed—by the SmartResponse.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.