Configure LogRhythm SIEM Syslog Integration
NetMon outputs a syslog feed of Alarms, Audit, and Flow Traffic Data to the LogRhythm SIEM (or any other SIEM which supports syslog).
To integrate NetMon with LogRhythm SIEM:
Enable Syslog on the collecting Agent:
Log in to the LogRhythm Console.
Open the Deployment Manager.
Click the System Monitors tab.
Double-click the Agent that will receive the Syslog output.
On the Syslog and Flow Settings tab, select the Enable Syslog Server check box.
Click the Advanced button, and then set the SyslogTCPPort to 514. Click OK.
Click OK to close the System Monitor Agent Properties dialog box.
Configure NetMon to Output Syslog:
Open the NetMon Web Management interface.
On the top navigation bar, click Configuration, and then click the Syslog tab.
In the Syslog Type field, select TCP or UDP.
In the Syslog IP field, enter your System Monitor Agent's IP address.
Click Apply Changes.
Verify that the Agent is receiving Syslog output:
Click the Log Sources tab.
Click the Refresh icon to refresh Log Sources.
The Pending New Log Source appears with the Log Host Name of the NetMon server.
Double-click the new Log Source.
In the Log Source Acceptance Properties dialog box, change the Log Source Type to Syslog - LogRhythm Network Monitor.
Select the Action check box, right-click the Log Source, click Actions, click Accept, and then click Custom.
Select the “LogRhythm Default v2.0” Log Processing Policy and click OK.