|System Monitor (SysMon)
LogRhythm 7.9.0 GA
LogRhythm 7.8.0 GA
Microsoft .NET Framework 4.7.2
System Monitor v188.8.131.5201 (Windows) and v184.108.40.20600 (*NIX) are incompatible with SIEM v7.8.
In order to upgrade to System Monitor 220.127.116.1101 (Windows) or 18.104.22.16800 (*NIX), you must first upgrade LogRhythm SIEM to 7.9.
For more information on LogRhythm SIEM version 7.9, see Enterprise SIEM 7.9 Release Notes.
LogRhythm System Monitor Agents for Windows require the Microsoft .NET Framework 4.7.2.
- Before upgrading your System Monitor Agent, confirm that .NET Framework 4.7.2 is installed.
- For information on determining which .NET version is installed, see https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed.
- If necessary, install .NET Framework 4.7.2 and reboot your system. Because of the required reboot, we recommend that you perform this installation during off-peak hours.
The LogRhythm Open Collector now supports Linux System Monitor for log collection, starting with System Monitor version 22.214.171.12404.
Linux System Monitors do not support secure syslogs at this time. Collection of normal syslog data is supported as of version 126.96.36.19904.
Installing the SysMon agent on the same machine as the Open Collector is not supported. Collection is supported from another machine running Linux.
The System Monitor's performance has been enhanced when dealing with large batches of logs (between 1,000 and 10,000).
LogRhythm has deprecated Check Point collection via OPSEC LEA in favor of the newer Check Point Log Exporter. Support for OPSEC LEA was removed starting with LogRhythm System Monitor Collector version 188.8.131.5204 and results in an error in the scsm.log file if this collection method is used. Customers who need to use OPSEC LEA for collection should not upgrade agents past System Monitor 184.108.40.20602 release. For information on how to configure Check Point Log exporter, see Syslog - Check Point Log Exporter device configuration guide.
Salesforce Case ID
Found in Version
|Linux System Monitor agents will no longer produce an error in certain situations after enabling log source virtualization.
|The System Monitor Agent auto-update service now correctly downgrades versions as requested.
|Reading results from the InfluxDB on CentOS 7 builds no longer produces an error.
Resolved Issues - Security
No security-related issues in this release.
Found In Version
|When a remote Agent is connected to the Mediator via VPN and the VPN gets refreshed, some users may experience connection issues with the Agent and receive errors indicating the position files are being used by another process
Expected Results: There should be no issues with the position file when collecting logs from a remote Agent.
Workaround: While there is no workaround for this issue, we are actively investigating a solution.
If a Log Source Virtualization (LSV) regex is greater than 1024 characters, the System Monitor will crash and disrupt log collection. Customers may receive several errors, including:
**WARNING** Configuration property length is greater than the maximum allowed, truncating to the maximum length.
Expected results: The Client Console should not allow a regex greater than 1024 characters since that is the limit on the System Monitor.
Workaround: If you experience this issue, contact your support team to assist in changing the LSV regex limit in the Client Console.
|Windows Agent, Database scripts
|The Syslog Agent default regex does not match some log source types that explicitly differentiate the year. This mismatch causes inaccurate parsing for Normal Message Date and Host ID on some log sources, resulting in the date of collection being substituted instead. To date, we have seen this in the most recent Aruba Wireless Access Point and Palo Alto log source types.
Expected Results: The Agent should assign date and time based on date-time in the raw log for date formats that explicitly define the year.
Workaround: While there is no workaround for this issue, we are actively investigating and will provide a fix in an upcoming release. If you experience this issue, contact your support team to assist in providing some regex that may help.
|When collecting sFlow Expanded Flow Format logs, warnings are constantly written to the System Monitor log file.
Expected Results: The System Monitor Agent should collect this log format without producing warnings in the log file.
Workaround: The System Monitor Agent does not support sFlow Expanded Flow Format. You must convert these logs to NetFlow to collect the data. There is a Golden Nugget posted to LogRhythm Community that shows you how to convert from sFlow Expanded Flow to NetFlow. You can find it on the Community here: https://community.logrhythm.com/t5/Golden-nuggets/LogRhythm-Golden-Nugget-Use-Case-sFlow-Expanded-Flow-Format-No/m-p/109276.
When setting up log collection on AWS CloudTrail S3 and trying to establish a trust relationship for the SSL/TLS secure channel, customers may receive the following error exception message:
**ERROR** Exception msg: A WebException with status TrustFailure was thrown.
Expected Results: Customers should be able to configure CloudTrail S3 log collection without errors.
Workaround: Use Open Collector to collect from CloudTrail S3 log sources or suppress the trust check.
|When using File Integrity Monitoring (FIM) or Realtime File Integrity Monitoring (RTFIM) in the 7.6.x System Monitor on RedHat Enterprise Linux (RHEL) 7, the agent may fail with a "segmentation fault" error message.
Expected Results: FIM and RTFIM should work without error in RHEL 7.
Workaround: Disable FIM or RTFIM in the System Monitor settings.
|When the Mediator is restarted, the System Monitor Performance Monitor Count for Agent Handles does not reset when the Exchange Msg Tracking Log Source is in use, with the agent installed on the Exchange Server for local collection.
Expected Results: The agent handles count resets when the mediator restarts, and does not increase in size.
Workaround: Use a Windows task to restart the agent handles count on the server.
|SNMP Trap, sFlow, and Netflow collection requires a System Monitor Pro license.
Expected Results: SNMP Trap, sFlow, and Netflow collection should be permitted with a System Monitor Collector license.
Workaround: Use a System Monitor Pro license to collect SNMP Traps, sFlow, Netflow.
|When enabling cleanup scripts for Mimecast collection, customers may receive tracking errors and collection may not be reliable.
Expected Results: Collection should be reliable during cleanup.
Workaround: There is no workaround for this issue.