Design LogRhythm Enterprise for NetMon

To integrate NetMon with LogRhythm Enterprise:

1. Enable the Syslog Agent:

   1. Log in to the LogRhythm Console.

   2. Open the Deployment Manager.

   3. Click the System Monitors tab.

   4. Double-click the Agent that will receive the Syslog output.

   5. On the Syslog and Flow Settings tab, select the Enable Syslog Server check box.

   6. Click the Advanced button, and then set the SyslogTCPPort to 514. Click OK.

   7. Click OK to close the System Monitor Agent Properties dialog box.

To set the Syslog port to something other than the default 514, see Set Syslog Port to Non-Default Value in LogRhythm Enterprise.

2. Verify that the Agent is receiving Syslog output:

   1. Click the Log Sources tab.

   2. Click the Refresh icon to refresh Log Sources.

   3. The Pending New Log Source appears with the Log Host Name of the NetMon server.

   4. Double-click the new Log Source.

   5. In the Log Source Acceptance Properties dialog box, change the Log Source Type to Syslog - LogRhythm Network Monitor.

   6. Select the Action check box, right-click the Log Source, click Actions, click Accept, and then click Defaults.

3. Make sure that log processing settings for NetMon’s Log Source type are set correctly:

   1. Click the Log Processing Policies tab.

   2. Under Log Source Type, search for "Network Monitor."

   3. Double-click the row for Syslog - LogRhythm Network Monitor.

   4. In the MPE Policy Editor dialog box, right-click anywhere in the Rules grid and click Check All.

   5. Right-click again, and then click Properties.

   6. Verify that Disable Automatic Host Contextualization is enabled (a black check mark should appear in the check box), as shown below. Also, verify that the Log should be forwarded as event check box is NOT selected. Click OK.