|Software Component||System Monitor (SysMon)|
LogRhythm 7.9.0 GA
Microsoft .NET Framework 4.7.2
System Monitor v7.9.0.x (both Windows and *NIX) is incompatible with SIEM v7.8.
In order to upgrade to System Monitor 7.9, you must first upgrade LogRhythm SIEM to 7.9.
For more information on LogRhythm SIEM version 7.9, see Enterprise SIEM 7.9 Release Notes.
LogRhythm System Monitor Agents for Windows require the Microsoft .NET Framework 4.7.2.
- Before upgrading your System Monitor Agent, confirm that .NET Framework 4.7.2 is installed.
- For information on determining which .NET version is installed, see https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed.
- If necessary, install .NET Framework 4.7.2 and reboot your system. Because of the required reboot, we recommend that you perform this installation during off-peak hours.
No new features in this release.
No new improvements in this release.
LogRhythm has deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 22.214.171.12404 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 126.96.36.19902 release. For information on how to configure Check Point Log exporter, see Syslog - Check Point Log Exporter device configuration guide.
Salesforce Case ID
Found in Version
|188.8.131.52.4.6||Remote log collection is no longer disrupted after upgrading the Windows Operating System on a remote host.|
|DE11686||400302||184.108.40.20630||Log messages are no longer cut off in certain situations.|
|220.127.116.1101||Upgrading the System Monitor Agent no longer changes collection behavior.|
|DE14622||424679||18.104.22.16800||Gigamon/IPFIX no longer produces an "out of range" error in certain situations.|
|DE14628||434721||22.214.171.124||Unix timestamps are now correctly parsed for Flat File log sources.|
|DE15069||427612||7.4.10||Multiple System Monitor instances will no longer spawn when working with AIX servers.|
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view on the Community.
Found In Version
|DE3641||7.4.7||Windows Agent||When a remote Agent is connected to the Mediator via VPN and the VPN gets refreshed, some users may experience connection issues with the Agent and receive errors indicating the position files are being used by another process|
Expected Results: There should be no issues with the position file when collecting logs from a remote Agent.
Workaround: While there is no workaround for this issue, we are actively investigating a solution.
If a Log Source Virtualization (LSV) regex is greater than 1024 characters, the System Monitor will crash and disrupt log collection. Customers may receive several errors, including:
**WARNING** Configuration property length is greater than the maximum allowed, truncating to the maximum length.
Expected results: The Client Console should not allow a regex greater than 1024 characters since that is the limit on the System Monitor.
Workaround: If you experience this issue, contact your support team to assist in changing the LSV regex limit in the Client Console.
|DE6166||7.3.4||Windows Agent, Database scripts||The Syslog Agent default regex does not match some log source types that explicitly differentiate the year. This mismatch causes inaccurate parsing for Normal Message Date and Host ID on some log sources, resulting in the date of collection being substituted instead. To date, we have seen this in the most recent Aruba Wireless Access Point and Palo Alto log source types.|
Expected Results: The Agent should assign date and time based on date-time in the raw log for date formats that explicitly define the year.
Workaround: While there is no workaround for this issue, we are actively investigating and will provide a fix in an upcoming release. If you experience this issue, contact your support team to assist in providing some regex that may help.
|DE7241||7.2.5||Windows Agent||When collecting sFlow Expanded Flow Format logs, warnings are constantly written to the System Monitor log file.|
Expected Results: The System Monitor Agent should collect this log format without producing warnings in the log file.
Workaround: The System Monitor Agent does not support sFlow Expanded Flow Format. You must convert these logs to NetFlow to collect the data. There is a Golden Nugget posted to LogRhythm Community that shows you how to convert from sFlow Expanded Flow to NetFlow. You can find it on the Community here: https://community.logrhythm.com/t5/Golden-nuggets/LogRhythm-Golden-Nugget-Use-Case-sFlow-Expanded-Flow-Format-No/m-p/109276.
When setting up log collection on AWS CloudTrail S3 and trying to establish a trust relationship for the SSL/TLS secure channel, customers may receive the following error exception message:
**ERROR** Exception msg: A WebException with status TrustFailure was thrown.
Expected Results: Customers should be able to configure CloudTrail S3 log collection without errors.
Workaround: Use Open Collector to collect from CloudTrail S3 log sources or suppress the trust check.
When collecting logs from AWS S3 buckets that contain a large number of folders, logs may back up at the Agent and never get forwarded to the Data Processor.
Expected Results: The Agent should collect and forward logs without backing up.
Workaround: While there is no workaround for this issue, we are investigating an option for a future release that would allow customers to start log collection from a specified date to prevent log collection issues.
|DE12214||7.4.x, 7.5.x||*NIX Agent|
When using compression with *NIX agents, customers may receive the following decompression errors in the Mediator logs:
***ERROR*** Failed to decompress log data message: Expected end of stream not found
Expected Results: When customers use compression with any agent version, compressed files should decompress without errors.
Workaround: Turn off compression on any agents that are generating errors in the Mediator logs.
|DE12516||7.6.0||*NIX Agent||When using File Integrity Monitoring (FIM) or Realtime File Integrity Monitoring (RTFIM) in the 7.6.x System Monitor on RedHat Enterprise Linux (RHEL) 7, the agent may fail with a "segmentation fault" error message.|
Expected Results: FIM and RTFIM should work without error in RHEL 7.
Workaround: Disable FIM or RTFIM in the System Monitor settings.
|DE12546||7.6.0||Agent||When the Mediator is restarted, the System Monitor Performance Monitor Count for Agent Handles does not reset when the Exchange Msg Tracking Log Source is in use, with the agent installed on the Exchange Server for local collection.|
Expected Results: The agent handles count resets when the mediator restarts, and does not increase in size.
Workaround: Use a Windows task to restart the agent handles count on the server.
|DE13453||7.7.0||Agent License||SNMP Trap, sFlow, and Netflow collection requires a System Monitor Pro license.|
Expected Results: SNMP Trap, sFlow, and Netflow collection should be permitted with a System Monitor Collector license.
Workaround: Use a System Monitor Pro license to collect SNMP Traps, sFlow, Netflow.