Latest Posts

Cloud SIEM - LogRhythm Configuration Notes

Enterprise Cloud SIEM Architecture

LogRhythm SMA Installation

System Monitor Agent Remote Collection Installation for Windows 2008+

Firewall Rules

Make sure the following ports are not blocked by any firewalls between the SysMon server and the
target server:
o TCP 135
o UDP 137
o UDP 138
o TCP 139
o TCP 445

In the Windows Inbound Firewall Rules on the target server, enable the following services:
o Remote Event Log Management (RPC)


Start RPC (Remote Event Log Management) service on each individual windows server


The "LogRhythm System Monitor" service must be using a domain account (not the "Local
System" account – ex. logrhythm_srv), the account should be part of “local” event log readers group on each remote server. They can assign it manually or push it via GPO.

Assign the System Monitor's service account read permissions to the following two registry entries:
·        HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing
·        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing

Note:  By default, the event log readers group would have read permission to the above keys. If the account is added to local event log readers group, it should give read permission to above two registry keys. Ask to verify.

LogRhythm Cloud Web GUI





Search logs using Lucene Filter:

Search Logs using Wildcard:

No comments