NetMon Software Installation

and Configuration Guide

January 6, 2020

NetMon-4.0.1-SoftwareInstallationConfiguration_revA
 – NetMon Software Installation and Configuration Guide

© LogRhythm, Inc. All rights reserved

This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by
copyright and possible non-disclosure agreements. The Software described in this Guide is furnished under the
End User License Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of
the Software. This Software may be used or copied only in accordance with the Agreement. No part of this
Guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including
photocopying and recording for any purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use of
this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may
be trademarks, registered trademarks, or service marks of their respective holders.

VMware, ESX, and ESXi, VMware Certified Professional, vCenter, and vSphere are registered trademarks or
trademarks of VMware, Inc. in the United States and/or other jurisdictions.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301

(303) 413-8745
www.logrhythm.com

LogRhythm Customer Support

support@logrhythm.com
 – NetMon Software Installation and Configuration Guide

Contents
Overview .......................................................................................................................................... 1

Install NetMon Software ................................................................................................................... 1

Supported Platforms ....................................................................................................................... 1
Select the Installation Platform ......................................................................................................... 1
Network Interfaces ......................................................................................................................... 2
Automated Installation with the LogRhythm .iso.................................................................................. 2
Prerequisites ............................................................................................................................... 3
Installation Steps ......................................................................................................................... 3
Log In ........................................................................................................................................ 4

Configure NetMon ............................................................................................................................. 4

Determine the IP Address and Launch NetMon .................................................................................... 4
DHCP Configuration ...................................................................................................................... 5
Static IP Configuration .................................................................................................................. 5
Change the Management or Recovery Network Interface ...................................................................... 8
Manual Network Configuration ....................................................................................................... 8
License NetMon ............................................................................................................................ 10
Enable Packet Capture .................................................................................................................. 10
Enable Syslog Reporting ................................................................................................................ 11
Verify Network TAP Reporting......................................................................................................... 11
Define an NTP Server .................................................................................................................... 12
(Optional) Use a Custom SSL Certificate .......................................................................................... 12
Select Applications for Packet Capture ............................................................................................. 13

Integrate NetMon with LogRhythm SIEM ....................................................................................... 14

Check for Updates .......................................................................................................................... 16

LogRhythm Support ........................................................................................................................ 16

Appendix: Maintain a Minimal NetMon ............................................................................................ 17

Clean Up Diagnostic Stats and Logs................................................................................................. 17
(Optional) Clean Up PCAP Files ....................................................................................................... 17
Restart NetMon ............................................................................................................................ 18
Delete Indices in the NetMon Web Management Interface ................................................................... 18
 – NetMon Software Installation and Configuration Guide

Overview
This guide provides installation instructions for NetMon software on both hardware and virtual machines,
including minimal resource evaluation systems, as well as instructions for configuring your new deployment to
begin capturing data.

NOTE: If you purchased a NetMon appliance from LogRhythm, you do not need to install the software
separately—it is preinstalled on your appliance. For more information, see the NetMon Appliance
Installation and Configuration Guide, available on the LogRhythm Community.

Install NetMon Software

This section provides details about selecting an installation platform and installing NetMon software.

Supported Platforms
NetMon can be installed directly on supported hardware or on a virtual machine. For more information, see
the NetMon VMware Installation and Configuration Guide, available on the LogRhythm Community.

Select the Installation Platform

Select a computer or virtual environment that meets the requirements listed in this section. If you are using
your own hardware, remove any disk drives smaller than 60 GB from the system.

IMPORTANT: The limited installation platform should not be used for production deployments of NetMon.
For information about how to maintain a limited installation, see Appendix: Maintain a
Minimal NetMon.

IMPORTANT: NetMon is not supported on systems that use shared disks. Installing on a system that uses
shared disks can have a significant negative impact on performance.

NOTE: NetMon is an I/O-intensive solution that requires dedicated physical drives to achieve the
published rates specified. NetMon makes no distinction between Direct Attached Storage (DAS) or
Storage Area Network (SAN), but the disk volumes must be dedicated.

NOTE: All versions use CentOS 7.4.

NOTE: All performance values listed in the table that follows can vary based on your system configuration
and the type of traffic NetMon is processing.

PAGE 1
 – NetMon Software Installation and Configuration Guide

Flows per Second Performance CPU/Processor Disk Drives

Minimal Processing: 4 vCPU Minimum IOPS: 100
Evaluation Up to 100 Mb/s 12 GB RAM Drive Size: 60 GB
Capture: 2 NIC
Up to 10 Mb/s
1–1000 Processing: 1 x 2.3 Ghz 12 Core CPU OS Drive:
Up to 1 Gb/s 24 vCPU 2 x 240 GB M.2 SSD
Capture: 64 GB RAM 0.3 DWPD
Up to 1 Gb/s PERC H740 Integrated RAID RAID 1
Controller (8 GB cache) Hardware IOPS: 85,000
2 x 10 Gb/s NIC Recommended IOPS: 150
2 x 1 Gb/s NIC 220 GB usable

Data Drives:
8 x 600 GB 10K RPM SAS
RAID 5 + 1 HS
Hardware IOPS: 717
Recommended IOPS: 717
3,312 GB
More than 1000 Processing: 2 x 2.6 Ghz 14 Core CPU OS Drive:
Up to 5 Gb/s 56 vCPU 2 x 240 GB M.2 SSD
Capture: ≥ 128 GB RAM 0.3 DWPD
Up to 2.5 Gb/s PERC H740 Integrated RAID RAID 1
Controller (8 GB cache) Hardware IOPS: 85,000
2 x 10 Gb/s NIC Recommended IOPS: 150
2 x 1 Gb/s NIC 220 GB usable

Data Drives:
24 x 600 GB 10K RPM SAS
RAID 5 + 1 HS
Hardware IOPS: 2,115
Recommended IOPS: 2,115
12,232 GB

Network Interfaces
On systems with four or more network interfaces, the NetMon installation will bond interfaces 5 and 6 to
create the bond0 interface. This is the default input interface (network TAP) for NetMon. Additionally, the first
network interface will be configured to start when the NetMon system starts.

NOTE: LogRhythm testing confirms that NetMon runs up to 30 network interfaces without significant user
interface issues or performance degradation. It is not recommended to go beyond 30 interfaces.

Automated Installation with the LogRhythm .iso

LogRhythm provides an .iso disk image to simplify the installation of NetMon. The .iso is a bootable image that
installs CentOS 7.4 Minimal and NetMon.

NOTE: When installing CentOS, all of the required disk partitions will be created and sized according to
LogRhythm’s recommendations.

The .iso can be used to install CentOS and NetMon on a physical or virtual system that has a primary disk as
small as 60 GB.

PAGE 2
 – NetMon Software Installation and Configuration Guide

NOTE: The .iso installation is supported on systems containing up to four physical disks.

Prerequisites
• If you have not already registered, you can sign up for an account on the LogRhythm Community.
Click Not a Member, and then complete the New Member Registration. Your registration confirmation
will be emailed to you. Check your spam folder in case the approval email is not recognized.

NOTE: Although strongly recommended, this step is not required before installing NetMon.

• If you have not yet obtained the NetMon installation .iso, download the .iso from the Community.
After logging in, click NetMon Resources, click the version of NetMon Freemium you would like to
run, and then click Network Monitor ISO (Checksum) under the Installation Files header.
• For a virtual installation, create a new VM that meets the following requirements:
o OS Type is Linux
o OS Version is Linux 64-bit or Other 64-bit
o Hard drive, RAM, and processor meet the requirements stated in Select the Installation
Platform
o Primary network adapter in “bridged” mode, and promiscuous mode is set to allow all traffic
o VMware Workstation is powered on as “Startup Guest”; VirtualBox VM is powered on as
“Normal Start”
• For a list of software packages installed with NetMon, open the NetMon User Guide or the online Help
and go to Appendices > Installed Packages.

Installation Steps
To install CentOS 7.4 Minimal and NetMon using the LogRhythm .iso:

1. If you are installing on a physical computer, burn the .iso image to a writeable CD or DVD, or build a
NetMon USB. For a virtual install, you can mount the .iso for the installation.
2. Boot the computer from the CD, DVD, or USB, or start the VM with the mounted .iso.
3. When the welcome screen loads, select Install LogRhythm Network Monitor.

The installer completes the installation and the system reboots.

PAGE 3
 – NetMon Software Installation and Configuration Guide

Log In
1. When the system reboots, log in to the console using logrhythm as the login and changeme as the
password.
2. To change the password for the logrhythm user, type the command passwd, type the default
password (changeme), and then type and verify your new password.

NOTE: You will need to change the input interface for analyzing network traffic in the NetMon Web
Management interface. By default, this field is set to bond0. For more information, see
“Changing Engine Parameters” in the NetMon online Help or the NetMon User Guide.

IMPORTANT: After installing and logging in to your NetMon software, do not update the CentOS
operating system using yum or any other method. An update could leave your NetMon
system in an unusable state.

NOTE: The default time zone for NetMon is Americas/Denver. To change this setting, open a command
line and enter sudo timedatectl set-timezone <time zone>. To find the string that
corresponds to your time zone, use the command sudo tzselect.

Configure NetMon
This section describes how to determine an IP address for NetMon, launch the NetMon Web Management
interface, and configure NetMon to begin capturing data.

• Determine the IP Address and Launch NetMon

• Change the Management or Recovery Network Interface
• License NetMon
• Enable Packet Capture
• Enable Syslog Reporting
• Verify Network Tap Reporting
• Define an NTP Server
• (Optional) Use a Custom SSL Certificate
• Select Applications for Packet Capture

Determine the IP Address and Launch NetMon

By default, NetMon’s data management interface uses Dynamic Host Configuration Protocol (DHCP).

NOTE: Interface names will vary depending on motherboard vendors and the PCI slot in which the
network interface card is installed (for example, em1, eno1, enp2s0).

If your network uses DHCP, an administrator in your organization can provide the NetMon’s IP address after
installation. If you need to assign a static IP to the NetMon appliance, you must perform some extra steps, as
described in the Static IP Configuration section of this guide.

To launch NetMon for the first time, be sure to follow the correct instructions for DHCP or Static IP.

PAGE 4
 – NetMon Software Installation and Configuration Guide

By default, the installation assigns the Management Interface. To select a different management or recovery
network interface, see Change the Management or Recovery Network Interface.

DHCP Configuration
If your network uses DHCP, obtain the NetMon’s IP address from your network administrator.

1. Open a browser (Internet Explorer 11 or the latest version of Chrome or Firefox).

NOTE: Microsoft Edge is not currently supported.

2. Enter the IP address of the NetMon appliance.

3. On the login screen, enter the user name and password:
• User Name: admin
• Password: changeme
4. Click Sign in.
The Update Password page appears.
5. Type your current password (changeme) and a new password twice, and then click Update.
6. Log in to NetMon with your user ID and new password.
The Web Management interface for NetMon appears.
7. Select your license type for NetMon. For more information, see License NetMon.

Static IP Configuration
Follow the instructions in this section if you are assigning a static IP to the NetMon appliance.

Configure a Laptop for Direct Connection to the Recovery Interface

Windows
1. From a laptop running Windows, click Start, and then search for “View Network Connections.”
2. Right-click Local Area Connection, and then click Properties.
3. Select Internet Protocol Version 4 (TCP/IPv4), and then click Properties.
4. In the Properties window:
• Select the Use the following IP address button.
• Enter the IP address: 192.168.0.11

NOTE: If your management interface is on the 192.168.x.x subnet, then set this value to
172.16.0.11. For more information, see Change the Management or Recovery
Network Interface.

• Enter the subnet mask: 255.255.255.0

• Leave the Default gateway blank.
5. Click OK, and then click OK to close the Local Area Connection Properties dialog box.
6. Right-click Local Area Connection. If the connection is not already enabled, click Enable.
7. If any wireless adapters are connected to the network, right-click Wireless Network Connection,
and then click Disable.

PAGE 5
 – NetMon Software Installation and Configuration Guide

8. Open the command prompt and run ipconfig to verify that the IP address is 192.168.0.11.

OS X
1. From a laptop running OS X, click the Apple menu at the upper-left corner of the page, click the
System Preferences application, and then click Network.
2. On the left side of the Network page, select your Thunderbolt Ethernet connection.
3. Specify the following Thunderbolt Ethernet connection settings:
• Configure IPv4: Manually
• IP Address: 192.168.0.11

NOTE: If your management interface is on the 192.168.x.x subnet, then set this value to
172.16.0.11. For more information, see Change the Management or Recovery
Network Interface.

• Subnet Mask: 255.255.255.0

4. Click Apply.

Launch NetMon
1. Open a browser (Internet Explorer 11 or the latest version of Chrome or Firefox).

NOTE: Microsoft Edge is not currently supported.

2. To configure a static IP, connect to https://192.168.0.10.

You will define a different IP address later, as described in Assign a New IP Address.
3. On the login screen, enter the user name and password:
• User Name: admin
• Password: changeme
4. Click Sign in.
The Update Password page appears.
5. Type your current password (changeme) and a new password twice, and then click Update.
6. Log in to NetMon with your user ID and new password.
The Web Management interface for NetMon appears.

NOTE: If NetMon requires a license file and you have not already uploaded one, you are prompted
to choose your version of the software. For more information, see License NetMon.

PAGE 6
 – NetMon Software Installation and Configuration Guide

Assign a New IP Address

1. Log in to the Web Management interface.
2. On the top navigation bar, click Configuration, and then click the Network tab.
3. On the Interface Selection (Assisted) panel, select the Management Interface Uses Static IP check
box.
Additional fields appear below.

4. Enter your IP Address, Netmask, and Gateway (and optionally, a DNS Server and Search Domain).

NOTE: From now on, you can use this IP address to access the Web Management interface for
NetMon on the data management interface.

5. Click Apply Changes.

NetMon changes the configuration and redisplays Network Settings page.
6. Verify that the IP address you specified was configured successfully. From any system on the same
network as the data management interface, open a browser and enter the IP address to access
NetMon.
If you can access NetMon with that IP address, you can now disconnect the laptop from the appliance.

PAGE 7
 – NetMon Software Installation and Configuration Guide

Change the Management or Recovery Network Interface

By default, the installation assigns the Management Interface. To select a different management or recovery
network interface:

1. On the top navigation bar, click Configuration, and then click the Network tab.
2. Select an interface from the Management Interface and Recovery Interface lists, as needed.
3. Click Apply Changes.
Changing the Management and Recovery Network Interfaces could log you out. If it does, you need to
reconnect via the correct interface.

IMPORTANT: Choosing a different Management or Recovery Interface changes which network port is
used for communicating with your appliance. If you make a change to either interface, you
will not have access unless you connect via the correct network. Changing either interface
may require you to change network cabling and your corporate network management
before you can access NetMon.

NOTE: If your management interface is on the 192.168.x.x subnet, the recovery interface is set to the
172.16.x.x subnet to avoid IP address conflicts.

Manual Network Configuration

NetMon 4.0.1 supports manual configuration of management, recovery, and capture interfaces through
Manual Network Configuration mode. This mode is useful for users who want to designate a capture interface
that is not specified within NetMon's autoconfiguration options.

With Manual Network Configuration enabled, you are prompted for the name of the interface from which
NetMon should process packets, and NetMon does not modify any network interface configuration files or
network settings upon startup. After the NetMon services start, the system waits for the specified capture
interface to exist in an "up" state. You are responsible for configuring your Management Interface, Recovery
Interface, and Capture Interface.

IMPORTANT: Network Manual Configuration is an advanced setting that should be enabled only by users
with deep proficiency in Linux. A manual configuration could cause serious issues in your
NetMon that LogRhythm Support cannot resolve and could ultimately require a full reboot
or fresh install of NetMon. Proceed with extreme caution.

NOTE: Before enabling Manual Network Configuration, save the network config with “Use High
Throughput” disabled. Alternatively, modify the value of “enableHighThroughput” to “false” in
/usr/local/probe/conf/nm.yaml and restart the NetMon services.

PAGE 8
 – NetMon Software Installation and Configuration Guide

To enable Manual Network Configuration:

1. On the top navigation bar, click Configuration, and then click the Network tab.
2. On the Interface Selection panel, click Enable Manual Configuration.

3. Enter a capture interface.

4. Click Apply Changes.
5. Restart NetMon for the changes to take effect. This can take a few minutes.
6. To revert to Assisted Network Configuration, click Disable Manual Configuration.

PAGE 9
 – NetMon Software Installation and Configuration Guide

License NetMon
When accessing NetMon for the first time, the license selection page appears. This page displays system
details and provides two licensing options: Network Monitor Freemium and Network Monitor.

To select and upload a license for NetMon:

1. Under the appropriate NetMon option, click Select. For commercial customers or customers evaluating
the full edition of NetMon, select the Network Monitor option.

NOTE: NetMon Freemium is a limited version of NetMon and could result in data loss.

2. When prompted, click Confirm to confirm your selection.

The NetMon license agreement appears.
3. Read the license agreement, select the check box to confirm that you have read and accept the terms
of the agreement, and then click Confirm.
You are prompted to upload your NetMon license.
4. Click Choose File, locate and select the license file from LogRhythm Support, and then click Open to
begin the upload.
After the license uploads successfully, the system restarts.

Enable Packet Capture

1. On the top navigation bar of the NetMon Web Management interface, click Configuration, and then
click the Network tab.
2. Enable one or more interfaces to capture. NetMon accepts the following traffic types:
• TAP. A network Test Access Point (TAP) sends traffic from a hardware switch to NetMon. A TAP
connection requires a dedicated physical port. For more information, see the Connect the
Network Interface Cables section of the NetMon Appliance Installation and Configuration
Guide, available on the LogRhythm Community.
• SPAN. Switched Port Analyzer (SPAN) ports, also called mirroring ports, send a copy of
network packets on one port to another port. A SPAN connection requires a dedicated physical
port.
• GRE. Generic Route Encapsulation (GRE) allows traffic to be routed over IP networks without a
dedicated physical TAP or SPAN port. When GRE is enabled, traffic can only be captured on the
NetMon management interface.
• Virtual. NetMon can capture traffic from a VMware vSphere virtual machine. For more
information, see the NetMon VMware Installation and Configuration Guide, available on the
LogRhythm Community.
For more information about interface selection and configuration, see the Change Network Parameters
section of the NetMon User Guide, available on the LogRhythm Community.
3. Click Apply Changes.
NetMon restarts the application with the new settings. This might take a few minutes.

NOTE: You can configure NetMon to capture all packets or only specific applications, including
unknown traffic. For more information, see Select Applications for Packet Capture.

PAGE 10
 – NetMon Software Installation and Configuration Guide

Enable Syslog Reporting

1. On the top navigation bar of the NetMon Web Management interface, click Configuration, and then
click the Syslog tab.
2. Set these fields to the appropriate values:
• Syslog Type. Set to UDP, TCP, or SecureTCP for Syslog data output according to the protocol
used by the Agent receiving data over Syslog. If NetMon is integrated with the LogRhythm
SIEM, it is recommended that you use TCP for Syslog.
• Syslog IP. Type the IP address of the Agent or other collector that collects Syslog output.
• Syslog Port. The default Syslog port for the LogRhythm SIEM is 514, but can be changed to
601 or any port higher than 1000.
• Syslog Max Line Length. The maximum, single-message length (in characters) for a Syslog
protocol. The default value is 2000.
• Password Scrubbing. Set to ON to mask unencrypted passwords as a series of asterisks rather
than show them in cleartext.
• Heartbeat Report Time. The time interval (in seconds) between heartbeats when NetMon is
synced with the LogRhythm SIEM. The default value is 60.
• Peer Common Name. Defines the peer common name for SecureTCP.
• CA Cert, Machine Cert, Machine Key. Certificates required for SecureTCP. Click to upload a CA
certificate, machine certificate, and machine key.
3. Click Apply Changes.

NOTE: NetMon restarts the application with the new settings. This might take a few minutes.

Verify Network TAP Reporting

1. On the top navigation bar, click Diagnostics.
The Interface tab should be selected.
2. Look at the Packet Rate chart to see if packet data appears.

PAGE 11
 – NetMon Software Installation and Configuration Guide

Define an NTP Server

After you perform a fresh install of NetMon, you must define an IP address for the Network Time Protocol
(NTP) server used in your network to ensure that the time stamps in NetMon charts are accurate.

IMPORTANT: If you do not define an NTP Server, the displayed time values could be out of sync with
your web browser. Events and log data could appear to have occurred in the past or even
the future, and it would be difficult to ascertain the exact time a network event occurred.

1. On the top navigation bar, click Configuration, and then click the Time tab.
2. In the Primary NTP Server field, type the IP address of the main NTP server used in your network. The
default is the address for the CentOS NTP server. If you do not establish an internet connection for the
NetMon appliance and want to use a local NTP server, type the address for that local server in this
field.
3. In the Backup NTP Server field, type the IP address for the backup NTP server (if used).
4. Click Apply Changes.

NOTE: After defining and syncing with an NTP server, it could take several minutes for data to
appear on NetMon dashboards.

(Optional) Use a Custom SSL Certificate

NetMon ships with a self-signed certificate that is not trusted. These instructions explain how to replace that
certificate with your own trusted SSL certificate if you want to assure users that the site is trustworthy.

To add a custom SSL certificate:

1. Ensure that your new, trusted server cert and key files are named “server.crt” and “server.key.”

NOTE: If your cert and key files have unique names, such as “NetMon.crt” or “NetMon.key,”
NetMon does not recognize your certificate.

2. On your NetMon server, go to /etc/nginx.

3. Copy your cert and key files into /etc/nginx. If prompted to overwrite the existing cert and key files,
select Yes.
4. SSH to your NetMon instance using the logrhythm user.
5. Run the following command to ensure that your custom files are owned by the nginx user:
cd /etc/nginx; sudo chown nginx:nginx server.crt; sudo chown nginx:nginx server.key

6. Run the following command to restart nginx:

sudo systemctl restart nginx

Your custom cert is installed.

PAGE 12
 – NetMon Software Installation and Configuration Guide

Select Applications for Packet Capture

You can select certain applications and protocols for in-depth analysis of their corresponding packet capture
data. Identifying applications helps you locate suspicious data transfers, network policy violations, and
advanced attacks.

NOTE: To view a list of applications that NetMon currently supports, see the NetMon Supported
Applications document on the LogRhythm Community. Be sure to check for updates to this list with
each new release, as supported applications are added regularly.

1. On the top navigation bar, click Configuration, and then click the Capture tab.

NOTE: If nothing has been configured for packet capture, only “unknown” is displayed in the list.

2. Specify that NetMon captures packets for all applications, or select a limited amount of applications
from the list.

NOTE: To get started, it is recommended to add just a few protocols such as “http” and “https,”
and then more later. For more information, see the NetMon online Help.

• To select individual applications or protocols for packet capture, set Capture All to OFF, and
then type characters in the Add field. As you type, the field auto-displays matching characters
from the application list. Select the application you want, and then click Add.
• To select all applications and protocols for packet capture, click the Capture All toggle switch
from OFF to ON.
• To exclude applications from being captured while Capture All is enabled, type characters in
the Exclude field. As you type, the field auto-displays matching characters from the application
list. Select the application you want to exclude, and then click Exclude.

NOTE: If you select Capture All and your traffic volume is extremely high (for example, the
system processes more than 750 flows per second), your NetMon appliance could run low
on disk space and drop packets. If this is the case, you should not select all applications.

3. Click Apply Changes.

NOTE: Packet capture must be enabled on the Engine tab before NetMon will start to capture and
analyze selected applications.

PAGE 13
 – NetMon Software Installation and Configuration Guide

Integrate NetMon with LogRhythm SIEM

The LogRhythm SIEM, deployed separately, can process output from the NetMon appliance. The LogRhythm
SIEM is not required to use NetMon, but LogRhythm recommends their integration for enhanced data analysis.
By integrating both products, you can correlate activity across different log sources and applications, allowing
you to view relevant reports and receive alerts when issues arise.

For example, AI Engine rules such as “HTTP Over an Uncommon Port” create an alarm when web traffic is
seen communicating with a remote port not commonly associated with HTTP traffic. This alarm can be useful
for tracking unauthorized web application usage.

To integrate NetMon with the LogRhythm SIEM:

1. Enable the Syslog Agent:

a. Log in to the LogRhythm SIEM Console and open the Deployment Manager.
b. Click the System Monitor Agents tab.
c. Double-click the Agent that will receive Syslog output.
d. On the Syslog and Flow Settings tab, select the Enable Syslog Server check box.
e. Click Advanced, and then set the SyslogTCPPort to 514. Click OK.
f. Click OK.
2. Add the NetMon in the LogRhythm SIEM Console:
a. Log in to the LogRhythm SIEM Console and open the Deployment Manager.
b. Click the Network Monitors tab.
c. Right-click inside the Network Monitors table and then click New.
The Network Monitor Properties window appears.
d. Type a name for the NetMon, the management interface IP address, admin user name, and
API key.
e. Click Test and verify that the authentication is successful.
f. Click Apply.
g. Click OK.
3. Verify that the Agent is receiving Syslog output:
a. Click the Log Sources tab, and then click Refresh Log Sources.
b. The Pending New Log Source appears with the Log Host Name of the NetMon server.
c. Double-click the new log source.
d. In the Log Source Acceptance Properties window, change the Log Source Type to Syslog -
LogRhythm Network Monitor.
e. Select the Action check box.
f. Right-click the selected check box, click Actions, click Accept, and then click Defaults.

NOTE: Make sure that the NetMon server is set to the same time zone as the server
running the LogRhythm SysMon agent. The receiving SysMon agent includes its
own timestamp before sending Syslog to the LogRhythm SIEM’s Data Processor.

PAGE 14
 – NetMon Software Installation and Configuration Guide

4. Make sure that log processing settings for NetMon’s log source type are set correctly:
a. Click the Log Processing Policies tab.

b. Under Log Source Type, search for Network Monitor. Double-click the row for Network
Monitor log processing policy.

c. Right-click the MPE Policy Editor, and then click Check All.

d. Right-click again, and then click Properties.

e. Verify that Disable Automatic Host Contextualization is selected, and that the Log
should be forwarded as event check box is not selected. Click OK.

PAGE 15
 – NetMon Software Installation and Configuration Guide

Check for Updates

After you start using NetMon, check for NetMon updates on a monthly basis. Updates are available on the
LogRhythm Community.

LogRhythm Support
The LogRhythm Community has the most current help documentation, software revisions, patches, and other
important information.

You can access the Community forum to:

• Post questions and follow support discussions

• Find Community Rules
• Access the latest LogRhythm software and Knowledge Base (KB) revisions and patches
• Access the LogRhythm product manuals
• Access LogRhythm configuration guides, Support Solutions, and other important LogRhythm
documentation
• Access the LogRhythm Learning Center for web-based training
• Request support
• Review your support profile, history, and tickets
If you have not already registered, you must first sign up for an account on the Community. Click Not a
Member, and then complete the New Member Registration. Your registration confirmation is emailed to you.
Check your spam folder in case the approval email is not recognized.

If you are using a fully licensed version of NetMon and have any issues or require assistance with your
deployment, work with your Professional Services engineer or contact LogRhythm directly at:

• LogRhythm U.S.: +1 303.413.8745

• LogRhythm EMEA: +44 (0)1628.509.070
• LogRhythm APAC: +852.2297.2812

PAGE 16
 – NetMon Software Installation and Configuration Guide

Appendix: Maintain a Minimal NetMon

A minimal-install NetMon system will quickly run out of disk space. Because you are not using this system for
production data, you can free up disk space by deleting logs, statistics, captured PCAPs, and indices.

NOTE: In the steps that follow, $ represents a Linux shell prompt. You do not need to type the $, only the
command that follows.

Clean Up Diagnostic Stats and Logs

From the Linux prompt:

1. Switch users to root:

$ sudo su
2. Clean up cassandra diagnostic statistics (because these stats require lots of space, this step could
significantly free up your system):
$ /usr/bin/rm -rf /var/lib/cassandra/data/DPI/Stat*
3. Delete log files and rolled logs:
$ /usr/bin/rm -rf /var/log/persistent/*.log
$ /usr/bin/rm -rf /var/log/persistent/*.gz
$ /usr/bin/rm -rf /var/log/probe/*.log
$ /usr/bin/rm -rf /var/log/probe/*.log.*
$ /usr/bin/rm -rf /var/log/probe/*.gz

(Optional) Clean Up PCAP Files

From the Linux prompt:

1. Switch users to root:

$ sudo su
2. To display partitions and drive space used, check which PCAP partitions exist:
$ df -h

NOTE: With the exception of especially large systems, this is usually only /pcap0. Look for drives
“mounted on” /pcapN, such as /pcap0, /pcap1, etc.

3. Navigate to the partition you want to clean up:

$ cd /pcap0/
4. Delete either individual folders or everything on the partition.
a. Delete individual folders (in this example, the folder is named “2018_02_21”):
$ rm -rf 2018_02_21
b. Delete everything on the partition:
$ rm -rf *

PAGE 17
 – NetMon Software Installation and Configuration Guide

WARNING: Before running this command, make absolutely certain that you changed directories (cd) to a
PCAP partition such as pcap0. If you do not, you could irreparably damage your installation.

Restart NetMon
Restart the NetMon services:

$ systemctl restart netmon

Delete Indices in the NetMon Web Management Interface

1. Log in to the NetMon Web Management interface.
2. On the top navigation bar, click Configuration, and then click the Metadata tab.
3. Delete the events_ and network_ indices by clicking trash can icon.

PAGE 18