Performance Counters—LR System Monitor

  • Service name. LogRhythm System Monitor Service (scsm)
  • Runs on. See the LogRhythm Compatibility and System Monitor Functionality Guide
  • Performance Object. LogRhythm System Monitor
Performance Counter

Checkpoint Log Count

The number of Check Point firewall logs processed.

Checkpoint Logs
Processed / Sec

The number of Check Point logs processed per second.

Log Data Queue Size (Kbytes)

The size of the Log Data queue (KB) currently held in the scsm service’s log data memory queue.

Log Source Virtualization Active RulesTotal number of rules for LSV sources configured on the Agent.
Log Source Virtualization Matched/SecRate of logs that matched an LSV rule.
Log Source Virtualization Messages MatchedTotal number of logs that matched an LSV rule.
Log Source Virtualization Messages ParsedTotal number of logs parsed by the LSV processor.
Log Source Virtualization Parsed/SecRate of logs parsed by the LSV processor.
Log Source Virtualization SourcesTotal number of sources configured with LSV on the Agent.

Logs Flushed In Session

The total number of logs flushed in this session by the scsm service and sent to the Data Processors since it was last started.

Netflow Packets Received

The total number of Netflow packets received by the scsm service since it was last started.

Netflow Packets
Received / Sec

The number of NetFlow packets received per second received by the scsm service.

Netflow Suspense File CountTotal number of NetFlow suspense file created.
Netflow Suspense Session Log CountTotal number of Netflow logs added in suspense file in current session.
Number of Filtered Log MessagesTotal number of Filtered Messages from LSV sources configured on the Agent.
Number of Filtered Log Messages/SecTotal number of Filtered Messages rate from LSV sources configured on the Agent.

Rate Logs Flushed / Sec

The number of logs flushed to the Data Processor per second by scsm service.

sFlow Suspense File CountTotal number of sFlow suspense files created.
sFlow Suspense Session Log CountTotal number of sFlow logs added in suspense file in current session.
SNMP Suspense File CountTotal number of SNMP suspense files created.
SNMP Suspense Session Log CountTotal number of SNMP logs added in suspense file in current session.
Syslog Suspense File CountTotal number of Syslogs suspense files created.
Syslog Suspense Session Log CountTotal number of Syslogs added in suspense file in current session.

Syslog TCP Messages Received

The total number of Syslog TCP messages received.

Syslog TCP Messages Received / Sec

The number of Syslog TCP messages received per second.

Syslog UDP Messages Received

The total number of Syslog UDP messages received.

Syslog UDP Messages Received / Sec

The number of Syslog UDP messages received per second.

If no activity occurs when expected in the System Monitor Agent performance counters listed below:

  • Ensure the configuration is correct.
  • Check the LogRhythm dashboard for any error or warning events pertaining to the scsm service or the system where the agent is hosted.
  • Check the local scsm.log file for any related error messages.

To investigate performance of the scsm service, add the following performance counters to a perfmon console:

  • Check Point Logs Processed / Sec. Should show activity when receiving logs from a Check Point firewall if the LogRhythm agent is configured to collect them. If you observe no activity in the counter for extended periods, follow the guidelines listed at the top of this section.
  • NetFlow Packets Received / Sec. Should show activity when receiving NetFlow packets if the LogRhythm agent is configured to collect them. If you have the agent configured to receive NetFlow but observe no activity in this counter for extended periods follow the guidelines listed at the top of this section.
  • Rate Logs Flushed / Sec. Should show periodic activity when the agent sends log data to a Data Processor. In general, log data is sent to the Data Processor after each log data source is read.
  • Syslog Messages Received and Syslog Messages Received / Sec. Should show activity when receiving syslog logs if the LogRhythm agent is configured to collect them. If you observe no activity in the counter for extended periods, follow the guidelines listed at the top of this section.
  • SyslogNG Messages Received and SyslogNG Messages Received / Sec. Should show activity when receiving syslog logs if the LogRhythm agent is configured to collect them via a relay host. If you have the agent configured to receive syslog, but observe no activity in this counter for extended periods, follow the guidelines listed at the top of this section.
