Press "Enter" to skip to content

Cloud SIEM – LogRhythm Configuration Notes

0

Last updated on January 19, 2020

Enterprise Cloud SIEM Architecture

LogRhythm SMA Installation

System Monitor Agent Remote Collection Installation for Windows 2008+

Firewall Rules

Make sure the following ports are not blocked by any firewalls
between the SysMon server and the
target server:
o TCP 135
o UDP 137
o UDP 138
o TCP 139
o TCP 445
In the Windows Inbound Firewall Rules on the target server,
enable the following services:
o Remote Event Log Management (RPC)

Service

Start RPC (Remote Event Log Management) service on each
individual windows server

Membership/Permission

The
“LogRhythm System Monitor” service must be using a domain account
(not the “Local
System”
account – ex. logrhythm_srv), the account should be part of “local” event log readers group on each
remote server. They
can assign it manually or push it via GPO.
Assign
the System Monitor’s service account read permissions to the following two
registry entries:
·       
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\eventlog\Security\Microsoft-Windows-Security-Auditing
·       
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security\Microsoft-Windows-Security-Auditing
Note:  By default, the event log readers group would
have read permission to the above keys. If the account is added to local event
log readers group, it should give read permission to above two registry keys. Ask
to verify.

LogRhythm Cloud Web GUI

Dashboards
Alarms
Searches
Reports
Search 
Search logs using Lucene Filter:

Search Logs using Wildcard:

Leave a Reply

Your email address will not be published. Required fields are marked *

You cannot copy content from 51sec.org.