Change Syslog Parameters
- Open the NetMon Web Management interface.
- On the , click Configuration.
The Syslog tab should be selected by default. - To see the default values for each field, click the Show Defaults button in the upper-right corner of the screen.
Change any of the parameters, as described in the following table:
Syslog Configuration Syslog Type
To enable NetMon to send Syslog data output, select one of the following:
- UDP. Messages are sent insecurely over User Datagram Protocol.
- TCP. Messages are sent insecurely over Transmission Control Protocol. If your system is integrated with the LogRhythm SIEM, it is recommended that you set it to TCP, because TCP is a "lossless" protocol.
- SecureTCP. Messages are sent securely over Transmission Control Protocol. Transmission is encrypted and requires a peer common name, CA certificate, machine certificate, and machine key.
Make sure that the Agent receiving data over Syslog also uses the same protocol set here. Keep this setting enabled unless NetMon is running as a stand-alone system that does not integrate with another system.
If you are using NetMon as a stand-alone system, see the Stand-Alone NetMon Syslog Parsing section of the appendix for guidance on how to compare and parse log messages using NetMon's Syslog parsing regex. This section also provides guidance on how to help expose useful information in log messages, including the type of message being sent and any known application detected in the message flow.Syslog Receiver
Defines the IP address of the LogRhythm Agent (or another Syslog receiver) that collects the NetMon Syslog output.
Syslog Port
Defines the port that the LogRhythm Agent (or another Syslog receiver) is listening to. The default is port 514, but this can be changed to port 601 or to any port higher than 1000.
Syslog Max Line Length
Defines the maximum, single-message line length for the Syslog protocol. This number cannot be higher than 2000, but you can adjust it to a lower number if necessary. When a message exceeds the specified limit, the message is split into multiple messages with the same sessionId.
Password Scrubbing
Masks unencrypted password information from NetMon data and replaces the passwords with asterisks. Leave this setting ON so that NetMon does not store or display unencrypted passwords.
Forward All Supported Data
Restricts which data is forwarded over SmartFlow (Syslog) to LogRhythm Enterprise. Keep this setting OFF (default) to send only alerts and diagnostics. Turn this setting ON to allow NetMon to forward general flow data for all seen sessions, including intermediate flow updates of end-of-flow messages.
This can result in a very large number of messages per second.No actual customer data is sent to LogRhythm. Metadata is used to help guide NetMon development efforts and upgrade schedule.
Forward Replayed Traffic Controls whether replayed PCAPs, including alarms generated by that traffic, are forwarded over SmartFlow (Syslog) to LogRhythm Enterprise. Keep this setting OFF (default) to exclude replayed traffic from SmartFlow. Turn this setting ON to include replayed traffic.
Heartbeat Report Time
Defines the time interval (in seconds) at which a heartbeat signal is sent over Syslog. The heartbeat is consumed by the LogRhythm SIEM for status indication within the LogRhythm Client Console's Deployment Manager.
Peer Common Name
Defines the peer common name for SecureTCP. Type a peer common name in the text box.
If you are using SecureTCP, this option is required.CA Certificate
Machine Certificate
Machine Key
Certificates required for SecureTCP. Click to upload a CA certificate, machine certificate, and machine key.
If you are using SecureTCP, this option is required.When you are done, click Apply Changes.
