Latest Posts

Cloud SIEM Project - LogRhythm Notes




Enterprise Cloud SIEM Architecture




LogRhythm SMA Installation

System Monitor Agent Remote Collection Installation for Windows 2008+


Firewall Rules


Make sure the following ports are not blocked by any firewalls between the SysMon server and the
target server:
o TCP 135
o UDP 137
o UDP 138
o TCP 139
o TCP 445

In the Windows Inbound Firewall Rules on the target server, enable the following services:
o Remote Event Log Management (RPC)



Service

Start RPC (Remote Event Log Management) service on each individual windows server

Membership/Permission


The "LogRhythm System Monitor" service must be using a domain account (not the "Local
System" account – ex. logrhythm_srv), the account should be part of “local” event log readers group on each remote server. They can assign it manually or push it via GPO.

Assign the System Monitor's service account read permissions to the following two registry entries:
·        HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing
·        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing

Note:  By default, the event log readers group would have read permission to the above keys. If the account is added to local event log readers group, it should give read permission to above two registry keys. Ask to verify.

LogRhythm Cloud Web GUI

Dashboards

Alarms



Searches
Reports










No comments