|System Monitor (SysMon)
LogRhythm 7.10.0 GA
LogRhythm 7.9.0 GA
Microsoft .NET Framework 4.7.2
LogRhythm System Monitor Agents for Windows require the Microsoft .NET Framework 4.7.2.
- Before upgrading your System Monitor Agent, confirm that .NET Framework 4.7.2 is installed.
- For information on determining which .NET version is installed, see https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed.
- If necessary, install .NET Framework 4.7.2 and reboot your system. Because of the required reboot, we recommend that you perform this installation during off-peak hours.
OAuth2.0 support has been added for Office 365 Message Tracking log collection. For more information on configuring the Office 365 Message Tracking log source, see API - Office 365 Message Tracking (Microsoft).
More information on the change from Basic Authentication to OAuth2.0 can be found at https://developer.microsoft.com/en-us/office/blogs/end-of-support-for-basic-authentication-access-to-exchange-online-apis-for-office-365-customers.
Upgrading to System Monitor version 126.96.36.19900 requires new fields to be added to previously configured Office 365 Message Tracking .ini files.
The following needs to be copied and pasted into existing .ini files, updating the Tenant ID, Client ID, and Client Secret as described in the API - Office 365 Message Tracking document. These fields are the OAuth2.0 replacement for the Basic Auth username and password fields.
# O365 Message Tracking Endpoint Hostname
# API details are available: https://msdn.microsoft.com/en-us/library/office/jj984335.aspx
# Tenant ID
# Client ID
# Must be encrypted using the lrcrypt command line utility.
# Client Secret
# Must be encrypted using the lrcrypt command line utility.
No new improvements in this release.
LogRhythm has deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 188.8.131.5204 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 184.108.40.20602 release. For information on how to configure Check Point Log exporter, see Syslog - Check Point Log Exporter device configuration guide.
Salesforce Case ID
Found in Version
|The AIX agent now correctly monitors symbolic links using the policy time.
|Using special characters in a connection string no longer causes an error in certain situations.
Resolved Issues - Security
No security-related resolved issues in this release.
Found In Version
|When a remote Agent is connected to the Mediator via VPN and the VPN gets refreshed, some users may experience connection issues with the Agent and receive errors indicating the position files are being used by another process
Expected Results: There should be no issues with the position file when collecting logs from a remote Agent.
Workaround: While there is no workaround for this issue, we are actively investigating a solution.
If a Log Source Virtualization (LSV) regex is greater than 1024 characters, the System Monitor will crash and disrupt log collection. Customers may receive several errors, including:
**WARNING** Configuration property length is greater than the maximum allowed, truncating to the maximum length.
Expected results: The Client Console should not allow a regex greater than 1024 characters since that is the limit on the System Monitor.
Workaround: If you experience this issue, contact your support team to assist in changing the LSV regex limit in the Client Console.
|Windows Agent, Database scripts
|The Syslog Agent default regex does not match some log source types that explicitly differentiate the year. This mismatch causes inaccurate parsing for Normal Message Date and Host ID on some log sources, resulting in the date of collection being substituted instead. To date, we have seen this in the most recent Aruba Wireless Access Point and Palo Alto log source types.
Expected Results: The Agent should assign date and time based on date-time in the raw log for date formats that explicitly define the year.
Workaround: While there is no workaround for this issue, we are actively investigating and will provide a fix in an upcoming release. If you experience this issue, contact your support team to assist in providing some regex that may help.
|When collecting sFlow Expanded Flow Format logs, warnings are constantly written to the System Monitor log file.
Expected Results: The System Monitor Agent should collect this log format without producing warnings in the log file.
Workaround: The System Monitor Agent does not support sFlow Expanded Flow Format. You must convert these logs to NetFlow to collect the data. There is a Golden Nugget posted to LogRhythm Community that shows you how to convert from sFlow Expanded Flow to NetFlow. You can find it on the Community here: https://community.logrhythm.com/t5/Golden-nuggets/LogRhythm-Golden-Nugget-Use-Case-sFlow-Expanded-Flow-Format-No/m-p/109276.
When setting up log collection on AWS CloudTrail S3 and trying to establish a trust relationship for the SSL/TLS secure channel, customers may receive the following error exception message:
**ERROR** Exception msg: A WebException with status TrustFailure was thrown.
Expected Results: Customers should be able to configure CloudTrail S3 log collection without errors.
Workaround: Use Open Collector to collect from CloudTrail S3 log sources or suppress the trust check.
|When using File Integrity Monitoring (FIM) or Realtime File Integrity Monitoring (RTFIM) in the 7.6.x System Monitor on RedHat Enterprise Linux (RHEL) 7, the agent may fail with a "segmentation fault" error message.
Expected Results: FIM and RTFIM should work without error in RHEL 7.
Workaround: Disable FIM or RTFIM in the System Monitor settings.
|When the Mediator is restarted, the System Monitor Performance Monitor Count for Agent Handles does not reset when the Exchange Msg Tracking Log Source is in use, with the agent installed on the Exchange Server for local collection.
Expected Results: The agent handles count resets when the mediator restarts, and does not increase in size.
Workaround: Use a Windows task to restart the agent handles count on the server.
|When enabling cleanup scripts for Mimecast collection, customers may receive tracking errors and collection may not be reliable.
Expected Results: Collection should be reliable during cleanup.
Workaround: There is no workaround for this issue.