Data Sheet

LogRhythm SysMon

LogRhythm SysMon enables customers to fulfill security and compliance use cases
by performing data collection and generating rich host activity data. An optional Endpoint Monitoring Capabilities
component for the LogRhythm TLM platform, LogRhythm SysMon is a software
• File Integrity Monitoring prevents
agent that operates on endpoints, servers, and virtual machines running Windows,
corruption of key files by identifying
Linux, and UNIX. when and by whom files and
associated permissions are created,
LogRhythm SysMon for Data Collection
viewed, modified, and deleted.
LogRhythm SysMon enables threat detection and response by consolidating and
collecting log and machine data from local and remote environments and cloud • Independent Process Monitoring
reports process and service activity,
infrastructure. Functioning as an agent-based data collector, it complements
enabling detection of critical
our agentless data collection options to facilitate the aggregation of log data,
behavior, such as critical processes
security events, and other machine data.
stopping and new/blacklisted
LogRhythm SysMon for Endpoint Monitoring & Forensics processes (e.g., Tor) starting.

Addressing advanced threats, compliance violations, and operational issues • Windows Registry Monitoring flags
requires deep visibility into your environment, including the ability to correlate registry additions, modifications,
host activity with additional network information. Unfortunately, many categories deletions, permission (ACL)
of critical endpoint data are not available from Windows event logs and other changes, and more. This provides
typical sources. Even when available, many of these logs lack the level of detail the details necessary to detect
necessary to achieve true visibility. Filling these gaps usually requires one or advanced threats, compromised
endpoints, and more.
more additional agent-based solutions to perform independent monitoring.
• Network Connection Monitoring
LogRhythm SysMon’s integrated endpoint monitoring and forensics capabilities
provides a detailed, independent
perform independent logging of host activity. This telemetry enables multi-
log of all network connections
dimensional analysis of your wider environment, allowing you to:
opened and closed on a host,
• Detect and respond to security threats, including zero-day attacks helping LogRhythm detect critical
• Automate and enforce compliance with HIPAA, PCI, SOX, and other events, such as connections with
compliance regimes unauthorized servers.

• Monitor for operational issues, such as system and application failures • User Activity Monitoring logs
any user that authenticates to an
Extending the SmartResponse Automation Framework endpoint, creating a forensic record
LogRhythm SysMon extends the reach and flexibility of the LogRhythm to supplement and validate local
SmartResponseTM automation framework. Together, the technologies can auditing systems.
automatically or manually perform actions on an endpoint, such as: • Data Loss Defender monitors data
• Monitoring the host to generate diagnostic and forensic data for accurate transfers to and from removable
root cause analysis media, such as USB drives, and
can optionally block transfers on
• Disabling the network interface card for a compromised host
specific machines and devices.
• Starting or disabling a process and collecting related information

LogRhythm SysMon Administration

LogRhythm SysMon efficiently supports large environments (>10,000 agents) through layered, policy-based configuration
and central monitoring and management. Data processing is performed centrally, rather than on the endpoint, resulting in
a minimal compute footprint.
SysMon transmits data to the LogRhythm data processing layer via a compressed and TLS-encrypted connection.
The agent ensures data integrity during network interruptions by spooling volatile UDP traffic and tracking state for
non-volatile data. Automatic failover across the data processing layer provides an additional level of resilience.
SysMon Pro can be configured for unidirectional network communication paths, supporting classified environments
and regulatory requirements.

WWW.LOGRHYTHM.COM PAGE 1
Data Sheet - LogRhythm SysMon

LogRhythm SysMon Comparison Chart

SysMon is delivered in two versions—SysMon Lite and SysMon Pro—outlined below.

SysMon Lite SysMon Pro

Ideal for Desktop Environments Ideal for Server Environments

• Centralized management and updates • Centralized management and updates

• Guaranteed collection • Guaranteed collection
• TLS-encrypted communication • TLS-encrypted communication
• 10:1 data compression for transport • 10:1 data compression for transport
• Remote data aggregation • Remote data aggregation
• Timestamp normalization • Timestamp normalization
• Scheduled collection • Scheduled collection
• TCP forwarding • TCP forwarding

• Desktop endpoint monitoring • Server endpoint monitoring

- Windows Registry Monitoring for Desktops
- Independent process monitoring
- Network connection monitoring
- User activity monitoring
- Data Loss Defender for local storage devices
• File integrity monitoring for desktops and point of sale systems
- Detect reads, modifications, and deletions
- Identify specific user or application
- Support for policy layering
- Windows Registry Monitoring for Servers
- Independent process monitoring
- Network connection monitoring
- User activity monitoring
- Data Loss Defender for local storage devices
• File integrity monitoring for servers
- Detect reads, modifications, and deletions
- Identify specific user or application
- Support for policy layering

• High-volume log collection • High-volume log collection

- Syslog - Syslog
- UDP/TCP and secure syslog - UDP/TCP and secure syslog
- Flat files (single-line and multi-line, compressed or uncompressed) - Flat files (single-line and multi-line, compressed or uncompressed)
- Windows Events, including custom event logs - Windows Events, including custom event logs and database logs
- Vendor-specific APIs (e.g., IBM iSeries, Cisco SDEE, Check Point OPSEC,
Sourcefire eStreamer)
- Cloud-based APIs (e.g., AWS, Azure, Box, Skyhigh, Salesforce)
- Flow data (e.g., IPFIX, NetFlow, sFlow, J-Flow, SmartFlow)
- SNMP
- Vulnerability data (e.g., Qualys, Rapid7, Tenable Security Center)
- LogRhythm Universal Database Log Adapter for system and custom
logs written to database tables (e.g., Oracle, SQL Server, MySQL);
ODBC & JDBC protocols
• Unidirectional communications for classified environments
- Integration with one-way data diodes
• Support for classified/top-secret environments

WWW.LOGRHYTHM.COM PAGE 2
©2018 LogRhythm Inc. | DS950_Apr18