Skip to main content
Skip table of contents

Change Syslog Parameters

  1. Open the NetMon Web Management interface.
  2. On the top navigation bar, click Configuration.
    The Syslog tab should be selected by default.
  3. To see default values for each field, click the Show Defaults button in the upper-right corner of the screen.
  4. Change any of the parameters, as described in the following table:

    Syslog Configuration

    Syslog Type

    To enable NetMon to send Syslog data output, select one of the following:

    • UDP. Messages sent insecure over User Datagram Protocol.
    • TCP. Messages sent insecure over Transmission Control Protocol. If your system is integrated with the LogRhythm SIEM, it is recommended that you set it to TCP, because TCP is a "lossless" protocol.
    • SecureTCP. Messages sent secure over Transmission Control Protocol. Transmission is encrypted and requires a peer common name, CA certificate, machine certificate, and machine key.

    Make sure that the Agent receiving data over Syslog also uses the same protocol set here. Keep this setting enabled unless NetMon is running as a stand-alone system that does not integrate with another system.

    If you are using NetMon as a stand-alone system, see the Stand-Alone NetMon Syslog Parsing section of the appendix for guidance on how to compare and parse log messages using NetMon's Syslog parsing regex. This section also provides guidance on how to help expose useful information in log messages, including the type of message being sent and any known application detected in the message flow.

    Syslog Receiver

    Defines the IP address of the LogRhythm Agent (or another Syslog receiver) that collects the NetMon Syslog output.

    Syslog Port

    Defines the port that the LogRhythm Agent (or another Syslog receiver) is listening to. The default is port 514, but this can be changed to port 601 or to any port higher than 1000.

    Syslog Max Line Length

    Defines the maximum, single-message line length for the Syslog protocol. This number cannot be higher than 2000, but you can adjust it to a lower number if necessary. When a message exceeds the specified limit, the message is split into multiple messages with the same sessionId.

    Password Scrubbing

    Masks unencrypted password information from NetMon data and replaces the passwords with asterisks. Leave this setting ON so that NetMon does not store or display unencrypted passwords.

    Forward All Supported Data

    Restricts which data is forwarded over SmartFlow (Syslog) to LogRhythm Enterprise. Keep this setting OFF (default) to send only alerts and diagnostics. Turn this setting ON to allow NetMon to forward general flow data for all seen sessions, including intermediate flow updates of end-of-flow messages.

    This can result in a very large number of messages per second.

    No actual customer data is sent to LogRhythm. Metadata is used to help guide NetMon development efforts and upgrade schedule.

    Forward Replayed Traffic

    Controls whether replayed PCAPs, including alarms generated by that traffic, are forwarded over SmartFlow (Syslog) to LogRhythm Enterprise. Keep this setting OFF (default) to exclude replayed traffic from SmartFlow. Turn this setting ON to include replayed traffic.

    Heartbeat Report Time

    Defines the time interval (in seconds) at which a heartbeat signal is sent over Syslog. The heartbeat is consumed by the LogRhythm SIEM for status indication within the LogRhythm Client Console's Deployment Manager.

    Peer Common Name

    Defines the peer common name for SecureTCP. Type a peer common name in the text box.

    If you are using SecureTCP, this option is required.

    CA Certificate

    Machine Certificate

    Machine Key

    Certificates required for SecureTCP. Click to upload a CA certificate, machine certificate, and machine key.

    If you are using SecureTCP, this option is required.
  5. When you are done, click Apply Changes.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.